It seems the apocalypse came to pass a while back, with the Secure Enclave in Apple's A7 processors.

> Of course, they know how to disable the restrictions or install a jailbreak, so these problems don't apply to the technological priesthood - it's normal people that have to live with the restrictions.

Here's the funny thing: normal people benefit from those restrictions. Without them, their devices – the ones you insist they should own – would quickly become someone else's: the attacker's. It would be awesome if people started thinking about long-term consequences.

Honest question: do you hate root? Should all processes run with equal privileges? Does the kernel have an evil and undesired permissions level?

Of course not. Stop making up straw-man arguments.

> Without them, their devices – the ones you insist they should own – would quickly become someone else's: the attacker's

So users cannot run any program they download? Or are you claiming that programs that run as a user - with no intention of touching system files - cannot harm that same user? Many past exploits and trojans run entirely as the user.

SIP may protect the OS, but it will do very little to protect the user. Unfortunately, while this should be obvious, scaring people into giving up their freedom works, even when the "solution" doesn't actually do much (or anything) to prevent the supposed threat.

The key difference here is that root is well known to be the all-powerful user, the one that really owns the system, while SIP is Apple's attempt at removing the power that root should have.

I understand your concerns about taking away user power, but this doesn't seem to be that. The user still has the power to do the same things, they just have to decide that they want it. You could just as well say that not making the system files world-writable takes away the user's power, but in fact it's just locked behind a door that the user has the power to open.

Note, that I'm biased for SIP because I'm implementing it for FreeBSD, even though I know I will be turning it off because SIP impedes my fuzzer development.

Also what war on general computing? If a person want's full control of their operating system they can use one of the free open source ones like FreeBSD, one of the thousands of Linux distros, illumos, OpenBSD, NetBSD, etc, etc.

Assumptions you're making:

* That the ability to disable SIP will always be available, forever, even though Apple has incentives to continue making their products more an "applicance" and less a "computer". I already said there are hardware features in new CPUs that are specifically designed to make that impossible. (see previous [5])

* That SIP will continue, forever into the future, to protect only those hidden directories.

* That Apple always knows what is better for the user, and won't exploit that power.

> turned off

Why is it that any time someone starts grabbing for power, there are always people that say we should ignore it because there is some workaround, or it's only an insignificant amount of power? Power is accumulated in small steps, with the hope that nobody notices until iti is too late.

As an analogy, you might say that I'm warning you that someone seems to be placing some gas cans around your property, and you might want to stop them before they decide to light a match. Meanwhile, you (and quite a few other people) are saying it's no big deal because you can just step over those gas cans - they aren't blocking the walkway much.

Apple is taking your root access away, and you're fine with it. They are saying that they de facto own your computer, not you. Yet you're fine with it.

> Also what war on general computing?

I'm somewhat shocked. All I can say is you have quite a bit of catching up to do. For the answer to that question, see my previous [1] and [2]. For [1], I linked to Doctorow's essay, but he links to his original lecture at 28C3 if you prefer. That lecture introduces the War, while [2] continues with a discussion of why we need to solve this problem now, as the ramifications extend much further than Apple and the ability to gain root.

Again, you might want to think long and hard about the long-term consequences of giving up root access to Apple. Security can be provided for the user without handing control over to Apple.

All the assumptions he's making are about what ACTUALLY happens, today.

All your assumptions are about uncertain future events and "what ifs".

Who do you think makes make sense?

Do you want a warning about the possible arsonist who seems to be stacking gas cans near your house? Do you want to insist that he isn't a problem because he hasn't burned your house down yet?

Both of those are claims about the future. I'm basing mine of Apple's history with the iphone and the direction their actions have taken over the last decade. The claim you describe as being "about what ACTUALLY happens today" is really a claim about Apple's behavior into the future. I see no contract guaranteeing they won't change SIP. What I do see is a lot of people seeing what they want to see.

No, I'm saying that what IS has more substance than the myriads of things that we're worried that CAN BE.

And, for this specific question mentioning the iPhone, I'm also saying that restricted, special purpose devices, which were ALWAYS sold as such (like mobile phones ever since the early nineties) are not the same as PCs which have other uses cases and history.

>Do you want a warning about the possible arsonist who seems to be stacking gas cans near your house?

Not when the only reason to think of them as "arsonist" is for stacking gas cans, when that also has another very logical explanation (e.g. he's building a gas station).

In the case of Apple, they're improving the security of OS releases, the same way Microsoft and other do. Sandboxes, secure modes, signed apps, are all standard things security researchers have been advising for years.

In all those years since they introduced signed and sandboxes apps, they never removed the ability to run non sandboxed and/or non-signed apps. So I also doubt they'll remove the ability to turn off SIP, as it's still needed for various use cases.

But even if they do change the SIP, no big deal for 99% of their customers. The rest can always use another platform, unless they value the (then) convenience, virus-tolerance etc of OS X more than they value the "do everything with them" openness of other platforms.

Just because some people started with a 'assemble yourself' kit PC in the 80s, it doesn't mean that the essence of having a PC is all about custom rigging it. And even more so, that was never the allure of Apple PCs (neither implicit or advertised). It was "it just works".

Dtrace is one of the features that is limited by SIP so yes this has something to do with dtrace.

> That the ability to disable SIP will always be available, forever, even though Apple has incentives to continue making their products more an "applicance" and less a "computer". I already said there are hardware features in new CPUs that are specifically designed to make that impossible.

Yes apple could get rid of the ability to turn off SIP, I don't believe they will. Doing so would anger developers and technical users, these people have a huge amount of say on what technology get used in their organization.

> That SIP will continue, forever into the future, to protect only those hidden directories.

I don't assume that it will only protect those hidden directories, because it protects other system resources as well. I also hope apple keeps adding to the list of protected resources, to continue securing Mac OSX and IOS.

> Why is it that any time someone starts grabbing for power, there are always people that say we should ignore it because there is some workaround, or it's only an insignificant amount of power? Power is accumulated in small steps, with the hope that nobody notices until iti is too late.

This is not a power grab, this is a company securing their products for their users. Even if this somehow is a power grab by apple, so what. No one is forced to buy apple's products, and if apple wants to do things that make there products less desirable, again so what, people might start switching to a competitor. It's not like apple is the government, nor is it a monopoly.

> Apple is taking your root access away, and you're fine with it. They are saying that they de facto own your computer, not you. Yet you're fine with it.

Apple has not taken root access from me, I can still do whatever I want on my Mac Pro.

> Again, you might want to think long and hard about the long-term consequences of giving up root access to Apple. Security can be provided for the user without handing control over to Apple.

Again I still have root on my laptop, yes I had to boot into recovery mode first, but afterwards I can sudo away. To me it seems like you haven't heard of Mandatory Access Controls, Operating systems have had the ability to reduce the privileges of root for a long time. Thats all SIP is a application of Mandatory Access Controls, SIP is built on top of the TrustedBSD MAC framework that FreeBSD, IOS, and MAC OSX all share. The MAC framework has been in IOS and Mac for a decade and apple have been slowly using it to hardened there operating systems and SIP is just a progression of this. You would think you would be happy that apple is trying to improve the security of their products.

Aka, an assumption.

So tell me the equivalent method to gain complete root access on an iphone. Not a jailbreak or unofficial firmware, an actual supported method by which you can become root and change anything on the device. Unless I am badly misinformed, this doesn't exist.

Your faith in Apple to not lock out SIP (or otherwise continue their trend of turning their products into appliances) requires ignoring that Apple already did that on other products.

> anger developers and technical users

So all Apple (or whomever) has to do to take away features is to make sure they have a way to satisfy or distract most of the developers and technical users. As this is not a large group of people, if they have a workaround, it does not change much.

I already said that this technological priesthood that knows how to work around these problems don't matter, as the average users are the people who will pay for this in practice.

Why would it hurt users? Because this kind of feature tends to always expand in scope when there is a financial incentive to do so. You even acknowledge this.

> I also hope apple keeps adding to the list of protected resource, to continue securing Mac OSX and IOS.

Securing for who? The owner of the computer? Or the vendors of their app store and music store?

> Apple has not taken root access from me, I can still do whatever I want on my Mac Pro.

Sometimes this isn't about YOU. This kind of selfish attitude is what allows corporations to continue taking advantage of other people.

> switching to a competitor

How many competitors are there for people to switch to? Are you stretching the definition and including competitors that are not compatible and would require re-purchasing software because the software they already paid for isn't compatible?

There is a huge cost to switching... which is why Apple absolutely is guilty of monopolizing (which is what the anti-trust laws ban, not a "monopoly" by some arbitrary market share).

> Again I still have root on my laptop,

Of course. Apparently you didn't read the part where I discussed this was a warning about the future, as power is taken in small increments.

More importantly, I find it interesting that you completely ignored the topic of the War On General Purpose Computing, which is central to this discussion. Doctorow's 28C3 talk directly address these problems and refutes many of your replies. Do you want to learn about this problem, which has been going on for many years, or are you an apparatchik that believes Apple can do no wrong?

There isn't one, and there has never been a way to officially gain full root on an iphone. Which is fine, iphones were never marketed as a general computing device, it's a smartphone.

> Your faith in Apple to not lock out SIP (or otherwise continue their trend of turning their products into appliances) requires ignoring that Apple already did that on other products.

I could care less what apple does, it's not my primary operating system, FreeBSD is.

> So all Apple (or whomever) has to do to take away features is to make sure they have a way to satisfy or distract most of the developers and technical users. As this is not a large group of people, if they have a workaround, it does not change much.

SIP isn't taking away features, it is a feature. Secondly if apple has a well documented workaround for their more restrictive features, then yes this is the best of both worlds. As the OpenBSD crowd has shown, security features need to be on by default or they are rarely used. Apple can't rely on most of their user's to turn on the various security features. Most Linux user's turn off selinux because it's hard to setup, and I would wager Linux users are more technical on average then Mac users. And by allowing a way to turn off these security features for those who need to, it allows for people to do whatever they want with their Mac.

> How many competitors are there for people to switch to? Are you stretching the definition and including competitors that are not compatible and would require re-purchasing software because the software they already paid for isn't compatible?

There's plenty of competition in both mobile phones and personal computer markets. For mobile phones you can get smartphones from Apple, Samsung, HTC, Microsoft, BlackBerry, and a few more. As for personal computers there's Apple, HP, Dell, Lenovo, Asus, Toshiba, etc, etc. I also would like to add that even if these various products are not compatible it does not mean they are not competitors. Blenders from two different manufacturers are not compatible, but they are most definitely competing for customers.

> Sometimes this isn't about YOU. This kind of selfish attitude is what allows corporations to continue taking advantage of other people.

When it's about me and my laptop, Only thing I care about is whether I'm satisfied. And I think it's strange that you think this is an example of Apple taking advantage of people, when Apple has done far worse things to people, such as their use of cheap labour when they could easily afford to pay those people more. SIP is a good thing.

> Sometimes this isn't about YOU. This kind of selfish attitude is what allows corporations to continue taking advantage of other people.

The reason corporations do as they please is because people don't hold politicians accountable. Secondly I would like to say, have you thought whether YOU are being selfish? You want a company YOU don't own to change their product to satisfy YOUR view on how they should make their product. Especially considering this feature protects users from various types of attacks such as, loading rootkits, and hooking library functions.

> More importantly, I find it interesting that you completely ignored the topic of the War On General Purpose Computing, which is central to this discussion. Doctorow's 28C3 talk directly address these problems and refutes many of your replies. Do you want to learn about this problem, which has been going on for many years, or are you an apparatchik that believes Apple can do no wrong?

I ignored it because it was late and I was tired, but again reading through that first article, it seems like another case of people telling others how they run their business. The MPAA and RIAA, infuriate me, as well as DRM, So you know what I did, I stopped purchasing products that I knew had DRM, and I stopped going to the movie theater. As for the abuses of the DMCA law by John Deer and others people should be simultaneously not purchasing their products while lobbying their representative about changing this broken law.

And from my point of view there is no war on general computing, this is not the 80's and 90's where most software was proprietary. Computer user's have more choices for free, open source software then they ever did. Now were even seeing a open hardware movement!

Both systems offer ways to disable restrictions and reconfigure the systems for kernel development.

Not seeing the big deal with requiring developers to jump through a couple of hoops to disable security features that are genuinely useful for regular end users.