I know he helped in writing some of the procedures at No Such Agency's web site NSA Operating Systems: Mac OS X.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Taps Cybersecurity Expert as Director of Global Security
- Thread starter MacRumors
- Start date
- Sort by reaction score
How long have the DLL hijacking exploits existed in Windows? Answer = In all Windows NT based systems past and present. And, has this long standing issue yet been corrected? Answer = Nope.
Combine DLL hijacking with DEP and ASLR being neglected in popular Windows software and you have an easy vector to install malware. Don't forget to bypass UAC.
Just out of curiosity, if these exploits still exist in all versions of Windows, why is OS X the first OS to crumble in hacking contests?
Because these exploits mentioned require user intervention. If memory serves me correctly, the DLL exploit allows an exe to use a compromised DLL, but the trick is that the exe needs to be run. Getting that exe to run requires... you guessed it, user input.
At black hat security conferences where OS X is always the first OS to be breached, that's because it's easier to run arbitrary code on the machine without user intervention.
As much as the DLL exploit is a security hole today, when it was first implemented in Windows 3.1 (or earlier?) there was no internet, and it was a perfectly safe design decision allowing for easier writing of programs.
Sure they could remove it, and I'm sure at some point they will, but there's a reason why your copy of Oregon Trail for DOS still runs
These exploits existing in Windows has no connection to achieving arbitrary code execution without privilege escalation in Mac OS X.
How do you even make that connection?
The truth is many computer users are idiots. The problem is MS has 95% worldwide market share, so they have a lot more stupid users.
But here are some answers to why OS X gets hacked so fast.
Straight from the winner 2 or 3 years running.
http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254.html
http://www.zdnet.com/blog/security/questions-for-pwn2own-hacker-charlie-miller/2941
http://www.forbes.com/forbes/2010/0412/technology-apple-hackers-charlie-miller.html
Also, Mac OS X is at a disadvantage in hacking contest because it includes Flash, Java, PDF support, more multimedia codecs, & etc by default so it has much more to attack.
Interestingly, Windows still fails without all that extra attack surface. Once you install Flash, Java, & etc in Windows it becomes even easier to exploit as these items often neglect DEP and ASLR as shown in this article.
BTW, DLL hijacking is used in certain types of browser exploitation given that one of the recommendations in this article to defend against exploitation is to disable your web client (browser).
Those examples also demonstrate how it is easier to achieve privilege escalation in Windows. Privilege escalation is required for virus and worms to be installed.
Technically, browser exploitation as occurs in security conferences requires user intervention as well.
Last edited:
Those articles present some misinformation. They often state that Windows has full ASLR but Windows only has the potential to have full ASLR. This article shows that many DLLs are not randomized. Mac OS X is criticized because many of its dylibs (mac equivalent to DLLs) are not randomized. Mac OS X (and Linux) advantage over Windows in terms of ASLR is that Mac OS X randomizes memory into 4 byte blocks while Windows uses 64 byte blocks. Smaller block size makes exploitation more complicated but randomization can be avoided by using non randomized memory.
Also, that article shows that some Windows software lacks DEP regardless of Windows version or architecture (32 bit or 64 bit). Mac OS X is criticized because 32 bit processes lack DEP for heap but most of Snow leopard is 64 bit; 64 processes in Snow leopard have hardware based DEP on both the stack and heap.
Last edited:
I'm not making any connection, I don't know much about the exploits in Windows and OS X, but I see a lot of people pointing out all the flaws and holes in Windows, and make OS X out to be some shiny, perfect impenetrable fortress of security.
Yet when the OS's are pitted against each other with default factory settings, OS X is the first to fall.
The factory default settings in Windows does not represent how the OS is typically used day to day. Most users install Flash, Java, PDF support, multimedia codecs, and etc. Most Windows malware via the browser use these third party items. Even without those third party elements, Windows 7 is still exploited.
Mac OS X includes more third party components by default and it is usually exploited via its PDF support within the browser to achieve arbitrary code execution without privilege escalation.
Privilege escalation is rare for OS X; for example, only 4 examples (none in 2008, 2010, or 2011) in the last four years and never used in exploits in the wild. Privilege escalation is much more common in Windows via direct exploit (for example, UAC bypass) or by hijacking a DLL with elevated privileges. Privilege escalation is required for virus or worm install. Trojans use social engineering to trick users to install trojans with elevated privileges.
Also, go to the Can Sec West website and check out the sponsors to PWN2OWN. Kinda makes sense why it is a little bit biased.
Attachments
Last edited:
But you didn't mention that last years Pwn2Own saw OS X and Safari go down faster than Windows 7 and ie8. And that the overall winner was the iPhone exploit.
And that ( http://dvlabs.tippingpoint.com/blog...n=Feed:+dvlabsblog+(TippingPoint+DVLabs+Blog) )
Anyways, even the man that hacks OSX, Charlie Miller will tell you, Windows 7 and OsX are on par this year due to OsX adding DEP.
But the one flaw OS X has that makes it so easy to hack is Safari.
Funny thing is 9 days before Pwn2Own, Apple released 16patches for WebKit and Safari. And they still got pwned.
Here is a snip from Charlie Miller about 2010 contest.
Last edited:
Once the malicious code is injected into a process, the time it takes to complete exploitation is irrelevant. In terms of real world exploitation, whether or not it leads to malware install is what matters. Privilege escalation is required for malware install. I have already made a post in this thread in relation to privilege escalation.
https://forums.macrumors.com/posts/11784426/
The article you linked to is from 2009. This article is from 2010.
http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
Charlie Miller must be referring to the systems in relation to setting of the contest. Any statements referring to DEP and ASLR go out the "Windows"
when looking at the state in which most users actually use their computers. I have already covered this in a previous post in this thread.https://forums.macrumors.com/posts/11784304/
No matter how many links and quotes referring to DEP and full ASLR you post, they will not negate the content of this article.
http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf
Imagine that! A browser exploitation contest leads to browsers being exploited! The same must hold true for IE in Windows.
Last edited:
Never said it wasn't. Just pointing out to the poster why OSX gets hacked first and fastest at these contest.
You wanted to make it into a windows vs OSX issue, when clearly they both are hackable.
And I'm sorry, nothing you're gonna say is gonna tell me anything different than what Charlie Miller has been quoted.
Nothing personal, but I'm gonna take what he said, the guy that does this for a living and actually competes and wins these hacking contest, then from some guy on the internet, that keeps talking about how bad MS security is. You seem so sure, would love for you and all these other ppl spouting MS FUD to enter these contest and drop Windows faster than they have been doing to OSX.
Prove them wrong and I'll take what you say more seriously.
Like I said in my first post, People are going to be stupid, MS has 95% market share so they are gonna have that many more stupid users.
When did you state why?
All OSes have exploits leading to arbitrary code execution with user level privileges. Cite one example from the the media of browser exploitation occurring in the wild in Safari in OS X.
But, Windows does have a history of viruses and worms that achieve privilege escalation.
Don't take my word for it! Take the word of other professionals in the industry!
http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf
http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf -> DEP and ASLR are fully enabled but still defeated in the default state of IE8 in Windows 7.
Stupid has nothing to do with exploitation by malware that does not require user intervention, such as viruses and worms.
Last edited:
I linked to Charlie Miller and let the expert explained why. And yet you can't defend anything he has been quoted. All you can do is say hey look windows can be hacked too. But no one ever said it couldn't.
You just can't except that OSX is just as vulnerable as Windows and in most cases more so. You can link all the articles you want and I can do the same. Doesn't change the fact OSX gets dropped first and fastest at these competition.
So does OSX:
http://www.macworld.com/article/134165/2008/06/ardagent.html
If you can do better or the security experts that you love to link their .pdfs can do better. Go to these conferences and competition and prove them wrong.
You won't or can't and they can't.
You can go on about JIT-spray to bypass ASLR and DEP but still doesn't change what actually happens. Year after year, OSX drops first and fastest.
Even when they relaxed the rules cause no one was able to hack any OS and browser , OSX dropped on day 2. They had to relax the rules more and more till windows was hacked on day 4 then linux, in 2008 or 2009.
You can say malware all you want. How about I link to cultofmac, a mac centric site for you: http://www.cultofmac.com/talking-with-mac-hacker-charles-miller/58273
Like I said, I'll listen to what Charlie Miller has to say, and draw my conclusions.
Last edited:
When did Charlie say why? Nothing he states relates to the speed of exploitation.
This was patched prior to it being publicly known and was never associated with any malware threat. Also, this is a component related to remote login that is turned off by default.
Name one piece of malware for OS X that does not require user intervention to infect and propagate.
Cite one example from the the media of browser exploitation occurring in the wild in Safari in OS X.
This is the exploit that took down Windows at PWN2OWN 2010 -> http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
Can you do better?
2008 -> Linux did not get exploited. Safari exploited via JavaScript (edit) on day 2. IE exploited via Flash (not included by default) on day 3.
2009 -> Rules changed, only targeting the browser. Linux was not included in contest. Safari exploited via PDF support (included by default) on day 1. IE exploited without any plugins on day one 1.
Here is some more info for you to look at:
1. Authentication & Privileges
You should have a unique identifier (password) attached to authentication mechanism (UAC in Windows). So, Windows users should run as standard users. But, using a standard account in Windows causes issues with some software, such as some online games, that require admin accounts (or "run as administrator"; superuser) to function. Many online games on Windows 7 still require running as Administrator (superuser privileges) to function. This requires setting the "Properties" to allow "run as Administrator" or turning off UAC. This is risky as the games connect to remote servers and download content. Trojans are installed without authentication if accessed with superuser privileges. This example, using online games, shows the problem with how software is being written for Windows. This problem lead to DLL hijacking exploits. You definitely need good antivirus software in Windows to more safely play games that require Administrator privileges.
On Mac OS X, the admin account requires authentication with a password to elevate privileges. Trojans that can be installed without authentication in OS X admin accounts, such as OSX/Leap-a, are not able to cause a lot of damage (can not install rootkits = kexts or binaries with elevated privileges = /System/Library, /usr, /bin, /sbin, etc). This is why such threats are fewer in OSX. Running as a standard user in Mac OS X allows ineffective malware, such as Leap-a, to cause even less damage.
For example, Leap-a in admin account infected apps that belong to admin group but not system (system = default Mac OS X apps; Safari, Mail, etc) and even fewer apps in a standard account. All Leap-a accomplished was causing apps it could infect to no longer launch. Also, it only spread across LAN from PPC machines and did not have the potential to install any rootkits or keyloggers that could hook into apps owned by System. Leap-a has been the most sophisticated piece of malware for Mac OS X; all others have been trojans that prompt for an Admin password. Leap-a was an Input Manager. As of Leopard, all Input Managers require Admin password to install; in 10.6, Input Managers also do not function with 64 bit apps. In Tiger, Leap-a required authentication via Admin password to infect iChat to spread via Bonjour given that iChat belongs to "System".
The issue with online games found in Windows is not problematic on Mac OS X given that software for Mac is written following the guidelines of the principle of least privilege more so than Windows software. For example, I have played online FPS games on my Mac with standard account privileges that require "run as Administrator" (superuser privileges) in Windows systems. Mac OS X is much better insulated from Malware.
2. Bugs
Another factor that makes Mac OS X more secure than Windows is the number of bugs per lines of code. I only know of empirical evidence for that fact for Linux. But anecdotal evidence for Mac OS X is substantiated via comparing the number of bugs per OS platform on an exploit database website such as Exploit-db. I think using such anecdotal evidence for Mac OS X is valid as Linux has more entries in the database than Mac OS X and Linux has a smaller market share. The number of bugs per lines of code is important because it influences the likelihood of finding critical holes that allow viruses and worms to be installed.
For example, arbitrary code execution allows the attacker to take control over the vulnerable process with the level of privileges of the process which is usually that of the user (Safari has the current user's level of privileges). Privilege escalation is possible if a component (kernel or DLL) of the OS with elevated privileges is accessible by the compromised process but only if that component also has a vulnerability that is exploitable. Not all vulnerabilities are exploitable (roughly 25%). Therefore, both the arbitrary code execution exploit and the privilege escalation exploit have to be linked together in a logical manner. This is the difficult part; finding a string of exploits. Given that such local exploits are rare for Mac OS X (0 in 2010), the statistical odds of finding a working string of exploits for Mac OS X is not trivial; especially, when compared to the potential to find such strings in Windows. To further clarify the difference, do a search per OS platform.
Viruses, worms, and trojans that can be installed without authentication require privilege escalation. This is why malware on Mac is limited to trojans that require authentication.
3. Security Mitigations
As of Mac OS X 10.5, both the stack and heap use the NX bit for ALL 64 bit processes and most of what is accessible for exploitation in 10.6 is running as 64 bit. 64 bit processes have not been exploited in 10.6 AFAIK but they have in 64 bit Linux that also uses stack and heap NX protection. http://www.exploit-db.com/exploits/15024/(Only processes related to 32-bit emulation and compatibility are being exploited on x86_64 Linux.)
Both ASLR and DEP were defeated in 64 bit Windows 7 at the last PWN2OWN but DEP in Windows may be optional at the discretion of the developer as its wiki suggests. This article outlines the issues with Windows ASLR/DEP in depth.
Full ASLR for 64 bit processes in 10.6 may not be necessary given that the 64 bit dyld file is located in the same folder as the 32 bit dyld file. The 32 bit dyld file is accessed during exploitation of 32 bit processes but 64 bit processes are not being exploited even though the file is equally accessible. In remote exploitation, the dyld information is acquired via an executable located at usr/lib/dyld that equally provides information for x86 and x86_64 processes. This makes me believe that, for now, NX bit is enough to protect these processes with partial ASLR. Partial ASLR becomes a factor in relation to security as it still allows payloads to be executed via return oriented programming once a process has been exploited. ASLR is necessary to help protect 32 bit processes and Apple should improve its ASLR or move everything over to 64 bit. Apple appears to be focusing on migrating over to 64 bit which is most likely the more reliable option. Apple is also working on developing a split process model for WebKit2 (underpinnings of Safari and Mail) to help improve security as well. Split process model style of sandboxing seems effective given that Google Chrome survived PWN2OWN.
Windows in some ways has better implementations of these technologies than Mac OS X. But, both Mac OS X and Linux randomized memory space in 4 byte sections as opposed to Windows that 64 byte sections. Also, a lot of popular third party software does not implement any security mitigations in Windows. For example, DEP and ASLR neglected by popular software. Also, all of the security in the world goes out the window if you run with superuser privileges.
Also, no antivirus software has 100% detection rates. 99% of 1,000,000 = 10,000 pieces of malware not detected.
Last edited:
Charlie miller does state why. "It was a lot easier." that's it pure and simple. You can deny it all you want. Put that is a fact.
Linux was in 2008. They were the last standing. Didn't mean they got exploited. Just proving that OSX dropped first and it took a relaxing of the rules for windows to get exploited.
You can write a dissertation and or novel as to why windows is less secure. But the fact remains in these contest OSX drops first and fastest.
I love the fact you point out how windows ASLR and DEP was defeated in 2010, but overlooked the fact that OSX was still the first to get exploited.
And your points also agree with what I've been saying. Users are stupid. If they turn off UAC, who fault is that?? Windows? Nope..
And third party software, who's fault is that? Windows again? Nope..
So every thing you just typed didn't change the fact that OSX still got pwned first and faster than windows.
I'm sure you'll write another novel and it may or may not be as long as your last post. But it'll never change the fact OSX has been exploited first and fastest at these hacker competitions nothing can change that.
Now I suggest we agree to disagree. I think both OSX and windows are hackable and you can keep saying that windows is and OSX is not.
Linux was in 2008. They were the last standing. Didn't mean they got exploited. Just proving that OSX dropped first and it took a relaxing of the rules for windows to get exploited.
You can write a dissertation and or novel as to why windows is less secure. But the fact remains in these contest OSX drops first and fastest.
I love the fact you point out how windows ASLR and DEP was defeated in 2010, but overlooked the fact that OSX was still the first to get exploited.
And your points also agree with what I've been saying. Users are stupid. If they turn off UAC, who fault is that?? Windows? Nope..
And third party software, who's fault is that? Windows again? Nope..
So every thing you just typed didn't change the fact that OSX still got pwned first and faster than windows.
I'm sure you'll write another novel and it may or may not be as long as your last post. But it'll never change the fact OSX has been exploited first and fastest at these hacker competitions nothing can change that.
Now I suggest we agree to disagree. I think both OSX and windows are hackable and you can keep saying that windows is and OSX is not.
Last edited:
You have stated they are equal and that Mac are easier? These two things are mutually exclusive. So, which one is it?
They relaxed the rules to allow something in Windows that is included by default in OS X and that something, Flash, is typically installed for day to day use. To make the contest represent most users day to day usage, those plugins should be installed on day one for all OSes.
Again, how is "first and fastest" relevant. How does that relate to the state of malware affecting computers in everyday usage?
Exactly, Mac OS X is defeated via a component of its PDF support that is 32 bit and therefore does not have DEP on heap. Each OS X update brings more into 64 bit which is not being exploited. Windows security mitigations for 64 bit are already being defeated.
Turning off UAC so that the user can do something as basic as playing online games is Windows fault because it is related to the way software is written for Windows that leads to DLL hijacking. The DLL hijacking issue even exists in the default software included in Windows.
Do users need that third party software to maximize their everyday user experience? Yup. Is windows still exploited without that third party software? Yup.
Implicit in everything I am saying is that OS X is hackable. Specifically, on OS X arbitrary code execution with user privileges is possible but there has not been an example of exploitation leading to malware install without user interaction through out the history of Mac OS X (about 10 years?).
There are still recent incidences of this type of malware occurring in Windows in the wild that is affecting everyday users.
Here is what Charlie Miller thinks about Mac malware predictions. LOL
Attachments
Last edited:
I didn't say it Charlie Miller did.
Here is his twitter. Ask him yourself: https://twitter.com/0xcharlie
I'll make sure to see what his response is too you, mr expert.
And on his exploit of OSX at 2010 Pwn2Own:
Here another one you keep discounting.
And in 2009 OSX and Safari fell in minutes. Just minutes.
All of your yelling screaming will never change history. It happened.
If a user turns off UAC because of third party software, you blame the OS?
So I get an email that says "Click me to see nude pix" on my MBP and I get infected, I should blame Apple?
Because flash, a third party software, is the "bane of security" I should Blame Apple instead of Adobe??
You make a lot of sense there?
It's early 2011, would love to see you enter some competition and spout the stuff you've been spouting and prove me wrong. Would love it. But you won't.
Here is what Charlie Miller thinks about Mac OSX 64bit LOL
Charlie said both as well but the most recent quote is:
Quotes from him are really starting to look like FUD to me.
A quote from Charlie's twitter?
I will say it again, Arbitrary code escalation without privilege escalation.
I want to see real world relevance, so:
Name one piece of malware for OS X that does not require user interaction to infect and propagate.
Exactly,
2010 -> Both fell in minutes. That means Windows security is declining over time.
If the user has to do it to accomplish the task they want to do, then I blame the OS.
Name one example of that occurring in OS X in the wild.
That is what the security industry does to Apple because Apple included Flash (and other third party elements) by default. Even you are implying that seems biased.
You do realize that 64 bit Mac OS X has 32 bit dylibs that are used by other 64 bit processes. Mac OS X 64 bit is exploited via these remaining 32 bit processes that are being removed with each update.
No one has produced a string of exploits that could lead to malware install without user interaction.
Here is a quote in relation kernel privilege escalation from Miller from this 2010 interview
Attachments
Bravo!
I must say I am really enjoying the productive banter between you two (munkery & weespeed). I enjoy learning all about security in the digital world and I understood probably about 98% of all that you are talking about. There is a lot of technical detail in your posts and no flaming name calling like most people end up resorting to. "Windows is better and OS/X sucks" or vice versa.
You guys stuck to facts and technical details in your debate and I love that. It's nice to learn new things.
But overall, on a practical everyday "normal" user sense of vulnerability of each OS, which one is truly more at risk? Taking into account that nearly everyone uses Flash, Adobe Reader, IE, FF, Safari and the like and isn't security aware at all and just clicks on things they think are interesting without giving a moment of pause first to consider if they should click or not. Most people don't use ClickToFlash or NoScript for FF or BetterPrivacy for FF.
Aren't most security vulnerabilities today run through JavaScript which is obviously cross browser, cross platform? (Knowing of course that said exploit through JS will be written with a specific OS in mind).
It seems to me that the OS's themselves aren't the targets as much as they used to be, but browsers, Flash, .pdf's and JavaScript are the main targets or vehicles for exploits.
I must say I am really enjoying the productive banter between you two (munkery & weespeed). I enjoy learning all about security in the digital world and I understood probably about 98% of all that you are talking about. There is a lot of technical detail in your posts and no flaming name calling like most people end up resorting to. "Windows is better and OS/X sucks" or vice versa.
You guys stuck to facts and technical details in your debate and I love that. It's nice to learn new things.
But overall, on a practical everyday "normal" user sense of vulnerability of each OS, which one is truly more at risk? Taking into account that nearly everyone uses Flash, Adobe Reader, IE, FF, Safari and the like and isn't security aware at all and just clicks on things they think are interesting without giving a moment of pause first to consider if they should click or not. Most people don't use ClickToFlash or NoScript for FF or BetterPrivacy for FF.
Aren't most security vulnerabilities today run through JavaScript which is obviously cross browser, cross platform? (Knowing of course that said exploit through JS will be written with a specific OS in mind).
It seems to me that the OS's themselves aren't the targets as much as they used to be, but browsers, Flash, .pdf's and JavaScript are the main targets or vehicles for exploits.
I'm going to say munkery knows more than me on security, it's just a hobby of mine. I'm a software engineer and security was a class I had to take in college. Nothing more.
In everyday use windows is more vulnerable to me, because of the shear numbers out there. The reasons to exploit a windows machine are far greater than any reason to attack OSX.
And I'll say it again, all users of an OS has a subset of users called idiots. The fact that there are far more windows users, means a larger subset of idiots that would click that email, download that pirated software, etc..
And regular users do use flash, java, etc on both platforms. So the exploits that Charlie Miller used will work with the everyday mac user. To say anything different is false.
I mean even Vista, the bastard step-child of MS took 4 days to exploit vs OSX that was exploited on day 2.
I don't think people can say, "Hey you're running windows 7? Ruh-oh you gonna get virus..etc. You should use OSX, you'll never get any trojans, malaware ever!" I think that's false.
And all these competitions and Black hat conferences disproves that notion.
I use both and will never say one is better than the other. I do say they do certain things better and they do certain things poorly.
I use flash blockers and noscript on both my windows machine and on my MBP.
And you're absolutely right that it's harder to target the OS themselves. Most hackers go for the exploit in the 3rd party software that will hopefully let them in with the help of users that don't pay attention and are oblivious that they might get compromised.
You can answer this by asking yourself the following question:
Name one piece of malware for OS X that does not require user interaction (meaning password authentication) to infect and propagate?
This excludes trojans, but Mac OS X only has four relevant unsuccessful trojans and 3 of them are detected by XProtect included in 10.6 by default.
So, 1 undetected trojan for OS X vs hundreds maybe thousands of undetected pieces of malware for Windows given that no AV software has 100% detection rates and the volume of Windows malware is going faster each year.
Javascript and PDF support are the primary weaknesses of Safari. As of 10.6, Flash (runs as a separate process and no longer included by default -> see MacBook Air) and Java (now 64 bit and is not allocated much memory space) are not reliable vectors for exploitation in OS X.
JavaScript exploits would be used to deliver a payload to achieve privilege escalation.
They are a vehicle to deliver a payload to cause privilege escalation. Some levels of your system are compromised by a browser exploit alone but the likelihood of profit is much limited without privilege escalation so you do not see browser exploits occurring in the wild without being strung together with privilege escalation.
You need another exploit linked to the browser exploit to achieve privilege escalation. Mac OS X has fewer local root exploits than Linux, which has far fewer then Windows. Interestingly, FreeBSD, upon which Mac OS X is based, has fewer local roots than Linux.
Last edited:
None. But are there any exploits that attack Windows right now without user interaction? Just turning on a fully patched Win7 system and having it connected to the Internet (not behind a hardware firewall). I know there was a time with WinXP that just doing that would result in an infection just by pressing the power button. I think it was through the RAW sockets (If I recall correctly).