David Maynor responds to the Macalope's post below.
To start with, lets [sic] settle that dydl isn't a library so Apple's ASLR implementation is just peachy thread in his comments section.
That's a misreading or misrepresentation of the discussion in the comments section. The point was whether or not, as Maynor said, Apple lied about its implementation of ASLR. The Macalope's seen no evidence they lied about it. He's not happy with the way it's portrayed in the Leopard materials, but it's not a lie.
But contrary to Maynor's contention, the Macalope and even the commenter in the post below are not arguing that Apple's implementation of ASLR is "just peachy". It's not. It's better than no implementation of ASLR, but not much.
If somebody says Microsoft did something right they must be bribed.
OK, fine. The Macalope doesn't know the particulars of Maynor's relationship with Microsoft. But the company has pretty much plied everyone on the planet with free drink and food (that was the extent of the brown and furry one's insinuation, not that any cash passed hands) at some point, so that was not much of a stretch. The Macalope himself fondly remembers a free lobster shindig he attended in Boston some years ago sponsored by the great Satan from the Pacific Northwest.
Did the mythical beast with a head shaped like a classic Macintosh partake of Bill Gates' forbidden seafood temptation?
Hell, yes. As a matter of fact, he not only ate the two lobsters that were his due, he ate another one off the plate of a friend.
For a ruminant from the high mountain plains, the Macalope sure loves him some lobster.
But frankly -- and the horny one actually had a sentence about this in the previous post that he edited out for brevity -- despite the ethical concerns, he wishes Apple played this game better. A few cozy keggers with people in the security biz couldn't hurt.
Sorry, that's not the case...
You've never been to a Microsoft-sponsored shindig? Really? You should get out more. There's probably one just down the block from you going on right now.
... I just think some simple things they have done will increase the overall reliability and safety of their applications.
It's true. After forcing their customers to become experts in repeatedly reinstalling the company's operating system to get rid of malware (the Macalope knows people who brag about how fast they can get their XP systems up and running again), Microsoft has made an operating system that is more secure.
Which has not yet achieved wide-spread adoption.
And this is the problem. In some perfect sphere of Platonic logic somewhere, Windows users have a more secure operating system experience. Here in reality, however, it's still Mac users.
For now.
You see Apple's problem in security is not the technology. OSX has a great pedigree with its FreeBSD ties and all these problems previously mentioned are fixable. The problem I see with OS is Apple. Unless I am mistaken the Apple Security team if 4-5 people, or at least it was last year at this time. That is like having one police officer patrol New York City, its ridiculous.
But Apple doesn't live in New York City, David. It lives in Newton Massachusetts. Yes, there have been a few break ins and people are concerned that the place could get turned into Flint Michigan some day if Apple's not careful, but today that's not the case.
A commenter in Maynor's thread notes that there are at least 7 people on Apple's security team. The Macalope has no idea how many people is enough, but he likes Maynor's suggestion that Apple appoint a chief security officer, because the Leopard implementation of several items -- particularly turning off the firewall -- reeks of security just not being anyone's responsibility there.
David Maynor is back on his Apple security hobby horse and rocking it faster than a 5-year-old hopped up on pre-holiday candy canes. Despite his usual over-the-top Apple invective, he makes some valid points and provides some helpful information for people using QuickTime on Windows.
Apple announced ASLR as a feature in their latest version of the operating system, Mac OS X 10.5 (
TigerLeopard). However, Apple largely lied.
You might be surprised to hear the Macalope agree with Maynor, but he's right. OK, maybe [See update below] "lied" is too strong, but they certainly misrepresented it.
Read the OS X Leopard Security Technology Brief (PDF).
In Leopard, libraries are loaded into random addresses when the system is installed and at any time that library prebinding is updated on the system (typically after system software updates, though you can manually force an update by running the "update_dyld_shared_cache -force" command).
Now read Thomas Ptacek's roundup of Leopard security features.
The dynamic linker library (dyld) is not randomized. From what I can tell, ten different Leopard macs booted at ten different times will have the same offset to dyld.
You care because dyld is full of useful functionality. Like, dynamically linking new libraries into memory, or recovering the base addresses for existing libraries.
Clearly, not all libraries are randomized and it's hard to take Apple's documentation any other way than saying that all of them are. [UPDATE: As a commenter points out, dyld is not a library itself. It's the pathway to libraries. So, yes, libraries are randomized, but that doesn't mean much if dyld isn't. It's like being in the witness protection program and having the government move you to an undisclosed location and then updating your address on Facebook so all your friends will know where you are!]
Microsoft has impressed the security community with its dedication to secure coding practice.
The Macalope suspects that the free keggers the company throws for security professionals and, well, everyone and their alcoholic mother don't hurt, either. And it's great that after years of making their users take it in the shorts on security by making them easy victims to, you know, actual real-world malware, that Microsoft can make bygones be bygones with security pros by tossing them some free shrimp like the barking seals that they are and then delivering a new OS with some good security features that sadly not that many people are taking advantage of because the cost in time, effort and cold, hard cash to upgrade from XP still often comes out to a losing proposition.
But the Macalope readily admits that Apple has rested on some comfortable security laurels and for every step forward they've made there's been a half a step back.
Installing Apple code on a Microsoft Vista system will make that system unsafe. Since these QuickTime vulnerabilities are equally exploitable on both Vista and Mac OS X 10.5, the fans might conclude that both operating systems are equally safe. This is not true, Vista is vastly more secure than the Macintosh.
"Vastly" is debatable. The structure is there, Apple just needs to implement it properly. Many of the items Ptacek points out are user-correctible. Apple could be just a dot release away from fixing them if it wanted to.
Apple's only advantage over Microsoft is their small market share, which means hackers are less interested in them. However, as hackers are having a harder time cracking Vista, they are getting more interested in the Mac, and we are seeing more exploits and more malware targeting Apple users.
This isn't yet a problem thanks to the legacy installs of XP and previous versions of Windows, but it will become more true as more Windows users inevitably adopt Vista (or move to the Mac or Linux). The situation is helped along, of course, by so-called security "professionals" who -- either because they love those Microsoft-sponsored security conferences or because they just really, really hate that "I'm a Mac" guy! -- are all too willing to yell "Look over there!"
Does the computer security industry ever strike you like a protection racket? "Nice operating system you have here. It'd be a shame if something were to happen to it."
Apple seems to be making some of the right moves, but not in a comprehensive manner. The Macalope would rather 2008 were not the year of the great Mac security epidemic.
Every time Adrian Kingsley-Hughes blogs about Apple, a kitten dies.
Well, on the inside anyway.
This time out, AKH starts by noting how similar Leopard and Vista are.
Like Vista is [sic] long awaited...
Yeah. Six years, two and a half. What's the difference?
Oh, that's right. Four Three [Gar! Antlers must be growing into the Macalope's brain!] and a half years.
...like Vista the launch was delayed...
The Macalope will just point out that Bill Gates originally stated that Vista would ship in 2005 and it didn't ship until this year. Leopard was delayed six months. Even if you're inclined to be charitable toward Vista, it was still later by a factor of more than two.
...and like Vista, I got the impression that Apple rushed a bit to get it out of the door because the Mac fanboys were getting restless.
And we all know how Steve Jobs likes to base his decisions around what Artie MacStrawman thinks.
Sure, it's not unreasonable to get the impression Leopard was rushed for an October release -- certainly Apple didn't want to miss its already bumped release date. Kingsley-Hughes is magnanimous in his willingness to allow that Leopard -- an operating system delivered in two and a half years after a six month delay -- would have roughly the same level of stability that Vista -- delivered in six years after at least a year-long delay -- has.
Now, the horny one might think one would expect the operating system that took 240% longer to reach its users to demonstrably more stable but, whatever.
In the Macalope's experience over the last week with Leopard, it has been as solid as any major OS X release. He's experienced only minor glitches with some third-party applications and once trying to set up a new printer. The Finder -- while we still may not be seeing Apple's best work here -- is better and faster than ever.
Isn't that odd? An operating system update that actually makes your computer faster?
That said, I have to admit that I'm surprised and a little shocked at the types of bugs affecting Leopard, not to mention the volume of people that appear to be affected.
Well, that's weird. Wasn't the Macalope just pointing out how no one knows how many people are affected and there just isn't a good way to tell?
Yes. Yes, he was. Is this thing on? Hello? Hello?
Oh, and let's not forget the new Mac Trojan.
Yeah! And what about Scarecrow's brain?! And where's Jimmy Hoffa buried?! And how many licks does it take to get to the center of a Tootsie Pop?!
The Mac Trojan really has nothing to do with Leopard's release. It seemingly affects all versions of OS X, with 10.5 actually having the sole benefit of letting you at least see the malicious DNS server the trojan adds.
I'm hoping that updates are released before any of this stuff becomes an issue for me.
Adrian, you've got one Mac. Are you planning on upgrading from Tiger to Leopard on it again? Then you're not going to get the blue screen problem which really seems to have been the biggest. The Macalope frankly is not sure what crashing and performance issues you're talking about since you provide no link and, as he said, his experience has been that Leopard is as stable as Tiger and, in some key operations, is faster not slower.
Again, have people upgrading to Leopard had some problems? No question. As is the case with any dot-oh release (or, in OS X's case, dot-something dot-oh). Is the remedy to simply lock yourself in your underground bunker until 10.5.1 is released? Well, no. For starters, 10.5.1 might not solve all these issues. But also, you might not run into these issues in the first place.
Read up on the affected third-party applications and other issues, do a full backup (or two!) and go for it if you want to.
You're going to want to do those things anyway.
Seriously, these nattering nabobs of negativity who run around the silly punditsphere trying to scare people away from things they could use right now ("Wait for 10.5.1! Wait for the second rev of the iPhone! For god's sake, don't buy anything new and/or shiny!") positively drive the Macalope to fits of apoplexy.
This is not alchemy, folks. And Halloween is over.
Matasano Security's Thomas Ptacek provides an excellent run-down of Leopard's new security features (tip o' the antlers to Ryan Naraine). Remember what the Macalope said a couple of weeks ago?
We can argue whether these are the right measures to be taken or how effectively they're being implemented, but this is still good news.
Well, a funny thing happened on the way to implementing Leopard's new security features...
Some of it's good, but much of it's bad or at least disappointing that Apple did not implement the features in a more robust method.
It's some good news (well, sort of...) that several of the problems are with default settings and users can quickly correct them, but turning off your firewall even on an upgrade? Sheesh. That's like paying a contractor to renovate your house while you're out of town and you come home and find all the doors and windows open and when you say, "Hey! Goober! What gives?!" he says "Oh, I just wanted to make it easy for you to get in when you got home."
Brier Dudley of The Seattle Times has taken Apple to task for supposedly rushing a buggy operating system out the door.
The problem with Dudley's thesis is that while there's certainly proof of bugs in Leopard, there's no proof of more bugs than in any other major OS release. See, there just isn't any non-anecdotal way to determine this because the "one need only peruse Apple's support forums" theory of applied statistics is about as useful as the "online polls say" theory but without the benefit of a bar chart. Simply put, forum postings and blog comments suffer from self-selection and are not a valid indicator of whether or not a piece of software sucks.
Perhaps a good-looking and technologically savvy reader can think of a valid statistical indicator as the Macalope is at a loss.
Dudley links to a post by Erica Sadun at the Unofficial Apple Weblog which is, frankly, ridiculously dire:
If you have only one computer and it's your production machine, don't upgrade. The 10.5 upgrade is a big one--not a small update, not a few bug fixes.
That's true and people need to take responsibility for their own decision to upgrade. You don't have to upgrade.
Lots of stuff gets broken...
This is pretty irresponsible. The Macalope--like most people--did the default upgrade and nothing was broken. Now, for some people some things may have gotten broken, and some of it may have been important or the breakage may have been severe. But the vast majority of upgrades went smoothly and "lots of stuff" is just an absurd exaggeration.
Apple didn't get its gold master out to third party developers in time for the upgrade path to proceed smoothly.
The same could be said of Tiger. That is, like it or not, Apple's m.o. But it's certainly not the reason for the biggest compatibility issues. The difference between the last developer seed of Leopard and the gold master in all likelihood means that some applications could experience minor issues at worst. If there is a single application that suffered severe problems because developers didn't get the gold master until Friday night, the Macalope has not heard of it. And his ears are particularly large and, apropos of nothing, rather furry.
None of this is to say that all those who upgraded to Leopard had a swell ol' time and that it was nothing but puppies, kittens, and flowers. But it's not like Tiger's release (or Vista's, or XP's or...) didn't have any problems. Let's try to keep it in perspective.
Of course Dudley's reliance on two "sources"--one a commenter who seems to have had an unusual (if not nearly fantastical) experience and the other a Cassandra-esque blog post--is simply silly pundit jackassery.
Internet Security for Your Macintosh reports (tip o' the antlers to MacJournals News) that Leopard's Back To My Mac feature bypasses local login and will allow full access to a machine it's enabled on solely via the .Mac login and password entered into the .Mac preferences pane.
So, if you lent your mother your .Mac password so she could post her kitty pictures to your Gallery...
...she can see you're looking at porn, dude.
Somehow the Macalope missed this in all the Leopard news, but one casualty of Apple's latest release is Sherlock.
Somehow it's always sadder when they anthropomorphise them. Don't get the horny one started on poor Cyberdog.
The Macalope guests again on MacBreak Weekly as we take a look at Leopard and bid a fond farewell to Tiger.
One of the Macalope's redoubtable readers says he received an ADC (Apple Developer Connection) email this morning promising Leopard would be available for download "soon", along with documents and code examples.
"Don't download it from some file sharing site! We're working as fast as we can, darn it!"
Well, really, if you're an ADC member (or anybody), you shouldn't download Leopard from a file sharing site. But, then, developers probably shouldn't have to.
The Macalope's new neighbor Tom Krazit (note to self: must have him over for drinks) discovered that one of the feature-complete copies of Leopard distributed at WWDC has found its way onto file-sharing sites.
The Macalope's not exactly sure how the distribution was handled -- he knows they weren't just under the seats, they had to be picked up at a booth -- but if Apple's able to tie a developer ID to a particular copy, this strikes the furry one as probably the fastest way to get bounced from the program and have your membership in the Bertrand Serlet Fan Club revoked.
Meanwhile, the Macalope hears from one of the mermen he does pilates with that developers not well-heeled enough to attend WWDC are still cooling those same heels waiting to be able to download their copy.
Well, legally, anyway.
C'mon, Apple. If file sharers can find the time to do it, don't you think you could too?
- prev
- 1
- next
