Call for Apple Security 'Czar'

conq writes "The second security non-incident to hit the Mac platform in as many weeks has been debunked. People are talking a lot about security on the Mac these days, and the result is that a great deal of FUD is being spread around. BusinessWeek's latest Byte of The Apple column suggests that its time for Apple to appoint a security Czar to get out ahead of the FUD before it spreads much more." From the article: "Creating a CSO position may be viewed by some as an admission of weakness. Still, I say it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding, and get ahead of the curve for any troubles that may be inevitable. That may not be the case, but in matters related to product marketing, it's the public perception, not the reality that really matters. And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft."

Chief Security Officer?

[WinkyN (263806)]

A chief security officer? Why did an image of Lt. Worf just pop in my mind?

Re:Chief Security Officer?

[by Anonymous Coward]

I am not a merry man.

Re:Chief Security Officer?

[Anonymous Monkey (795756)]

Wow, I can imagine the next AV Package, Norton Warf. It would need to have a fire wall capable of striking back on its own (A Klingon would never let an aggressor stand), automatic redundant backups (Klingons have backup organs), and a tendency to talk back if you do something stupid (If you had any honor you would never even think of using Bonsai Buddy).

Re:Chief Security Officer?

[by Anonymous Coward]

...and a tendency to talk back if you do something stupid (If you had any honor you would never even think of using Bonsai Buddy).

He he he... The other day I was talking to a young woman who'd just got a Mac and set her download directory to "Applications" so that anything she downloads is automatically installed. She said it made it easier to use the computer.

User ignorance is still the biggest threat.

Sounds like a PR or Legal issue, not a security.

[team99parody (880782)]

"The second security non-incident to hit the Mac platform in as many weeks has been debunked."

Sounds to me they need to hire someone with appropiate skills in either their PR or Legal departments.

Two non-security incidents in a month almost certainly mean that they're the victim of a FUD campaign.

The right way to answer that is not to validate the fud, but

1. ... communicate the truth - which is a function of PR, and
2. ... make sure no-one's illegally slandering their trademark -which is a function of legal.

The latter is far more dangerous to Apple than the hypothetical security non-issues a CSO could address.

Apple's recent security update patched 20 holes

[I'm Don Giovanni (598558)]

How do you expect Apple to dismiss security reports as "a FUD campaign" to be fought with PR when they just released a security update that patched 20 holes and in 2005 released security updates nearly every month [apple.com] (nearly as often as Microsoft)? Apple didn't have to release any from Dec 2005-Feb2006, but the massive March 2006 Security Update makes up for those three months. ;-))

Apple needs to treat their holes as real problems, not just as a PR problem. And they're actually doing just that by releasing fixes and not spouting PR. Spouting PR would only make them a bigger target for hackers, just as appointing a "Security Czar" would. The latter would also undermine confidence of the general public ("If Mac is so secure, why do they need a 'Security Czar'?")

Would it be like the Maytag repair man?

[by Anonymous Coward]

Worf sits bored and alone in his corner office:

Worf: "This job gives me an intense feeling of Gardachk! I think I'll kill one of the developers at our next hackeysack battle."

Well, then, that would be poetic justice

[hey! (33014)]

After all, the top secret Apple/Novell skunk works project to show MacOS runing on Intel ('486) was code named "Star Trek". They actually had Finder running and had ported QuickDraw GX and QuickTime by the end of 1992; however when Sculley left and Spindler came in, they turned to the PowerPC instead.

Re:Well, then, that would be poetic justice

[good soldier svejk (571730)]

Apple, IBM and Motorola formed the AIM alliance [wikipedia.org] (AIMed breaking the INtel deathgrip on the PC architecture) in 1991, two years before Scully left.

The importance of user confidence

[FuzzyDaddy (584528)]

And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft

And yet, they still seem to be doing OK.

I'm concerned

[SpaceAdmiral (869318)]

I'm concerned about the security on my new Intel iMac. Do any helpful /.ers want a SSH login on my machine so that they can take a look and tell me if it's secure?

Re:I'm concerned

[Quaoar (614366)]

Sure, just be sure the account has the same password as your admin account. Otherwise I won't be able to telnet the SSH to ping your gigabyte.

Nominate Slashdot as the Apple CSO

[drrck (959788)]

Probably would work just as well to link to ever slashdot argu^^^^discussion on Apple's security issues.

Public confidence?

[4doorGL (591467)]

To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar

Huh? Most of the "public" I know doesn't have any lack of confidence in OS X and hasn't even heard all the latest "scares" of OS X's security. In fact, I'd venture to guess that most of the "public" knows nothing about OS X being more secure than Windows (as it isn't really an advertised fact) and think that viruses/trojans/worms, etc, are just a part of computing.

Re:Public confidence?

[PitaBred (632671)]

But the geeks have, and the geeks tell the "public" about these things. My parents and family take my word about tech as gospel, essentially. They know I care about that stuff, they don't, and that I'm going to try to do the best for them that I can with advising that. If I think Macs are insecure (I don't, at least not compared to Windows), that's a lot of people that might have bought them that won't now.

Re:Public confidence?

[ZachPruckowski (918562)]

Not sure it'd matter even then. Geeks like me who use OS X would be sure to get to the bottom of these security "scares" in the interest of self-security. And MS geeks prolly wouldn't think of recommending a Mac in the first place. So I suppose the only people affected are Linux geeks, who might have been inclined to mention the Mac. Yes, that was major generalization, but at least mostly true.

Re:Public confidence?

[Golias (176380)]

The whole idea makes no sense at all.

What they seemed to just say, in a nutshell:

"Apple should create a executive position to serve as a figurehead in charge of security. Doing so will create the perception that Apple's shit is not as secure as it used to be, but is needed to maintain the perception that it's still as secure as it used to be."

So, if they don't hire somebody like that, confidence in their security will erode.

But if they do hire somebody like that, confidence in their security will erode.

Here's a thought: Why not just keep putting out an OS which is vastly more secure than Windows? As a customer, I've been pretty happy with that strategy so far.

Re:Public confidence?

[Midnight Thunder (17205)]

Huh? Most of the "public" I know doesn't have any lack of confidence in OS X and hasn't even heard all the latest "scares" of OS X's security.

What is OS X? Should it effect me? ;)

Just ask Microsoft????

[WindBourne (631190)]

that is funny. The reason why you can not trust MS is because they have loads of security issues. With Apple they have been overall secure. What I find funny is that a column would call for them to go through the hoops that MS does now, rather than simply staying the same course that has worked well for mainframes, other *nixs, and all the trusted systems that they gov. uses today.

Re:Just ask Microsoft????

[WindBourne (631190)]

Who has a "security czar" on their systems? Trusted Solaris does not. Nor does HP, nor does Trusted Vax. Back in the early 90's when I worked at HP and later at IBM, I can tell you that we had groups that went over security, but once again, no "security czar".

Or are you trying to imply that MS is now secure?

Not a bad idea,

[Hawthorne01 (575586)]

Especially if the appointee is a highly-visible and respected switcher to OSX from the open-source community.

If nothing else, it'll start an effective and accurate comparison of the state of security between OSX and Winodws, a feature of OSX that Apple has not stressed as much in their ads as they should.

They recently hired on the FreeBSD CSO

[ninja_assault_kitten (883141)]

Jacques A. Vidrine was recently hired on (leaving Verio) and now holds a high level position in the Apple Information Security. Jacques was the former FreeBSD Security Officer

It's just how you handle the marketing

[sprior (249994)]

"Creating a CSO position may be viewed by some as an admission of weakness." - Not if they market the position like the Maytag Repair Guy...

Just ask Microsoft

[gEvil (beta) (945888)]

Remember that to the average luser, anything made by Microsoft is top-notch. If it weren't, they wouldn't be in the position they're in market-wise. It's all those damn "hackers" out there that cause the problems, not Microsoft.

Re:Just ask Microsoft

[gEvil (beta) (945888)]

Oh, I'm well aware of the difference. Remember that my post is coming at it from the angle of the average know-nothing computer user. They've probably never even heard the term 'cracker' before. They only know about 'hackers.'

Biased poster

[by Anonymous Coward]

It's not FUD if the vulnerabilities are real. The fact that not many machines were affected is not relevant. With only 3% of the OS market - I wouldn't expect any Apple outbreak to bring down the house. The point is - Mac's are not immune and the sooner people realize it and cast off their false sense of security the better.

Re:Biased poster

[dclydew (14163)]

Esclation of Privileges is a vulnerability, the last time I checked.

What is it with the 'Czar' title?

[Aspirator (862748)]

Why is it we have so many 'Czar' titles nowadays?

What about other titles for potentates?

'Chief' 'King' 'Master' 'Commander' 'Lord' .......

Re:What is it with the 'Czar' title?

[mscdex (774392)]

In Soviet Russia, the security Czar appoints Apple!

That's not security, that's marketing

[mmarlett (520340)]

It would seem that what the author really wants is for Apple to comment on silly people doing things with Apple computers, which is the job of a marketing person. The marketing person just goes and asks someone authoritative sounding to comment, wraps that in pretty and feeds it to the public. No big deal. And that's certainly not a reason to make a security czar.

Perception?

[hackstraw (262471)]

it's the public perception, not the reality that really matters.

OK, then everybody else can stick to the illusion of security with Windows despite reality, and I'll be happy in the reality of my secure OS X machines.

OS X is not 100% secure, but out of the box, its about as secure as any system can be that has a network adaptor in it. Try this on your average box:

netstat -an |grep -i listen
tcp4 0 0 127.0.0.1.631 NOT JUNK LISTEN
tcp4 0 0 127.0.0.1.1033 NOT JUNK LISTEN

Go ahead, break into 127.0.0.1. I dare you.

Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK

Re:Perception?

[Bull999999 (652264)]

Go ahead, break into 127.0.0.1. I dare you.

I will take that challenge using all of the tools that I have. You'll be sorry when I break into your...

CONNECTION DROPPED

He's not calling for a CSO

[Red Flayer (890720)]

This isn't about Mac security, it's about public perception of Mac security. He's calling for a VP of Marketing/Publicity for Security Issues.

As stated in the article, putting security in the hands of an individual is counter to Apple's philosophy of having security be a priority for everyone.

I personally think Apple's better off letting third parties defend the FUD; they seem to be doing a swell job with the last two instances. By now, no one in the know doesn't know that the past two were FUD. //sorry for the awkwardness of that sentence)
Those who aren't in the know didn't even hear about it.

IMO, we should never ASK a company to add in another layer of publicity and marketing. That's asking to be mislead by slanted information, be it MS, Apple, Google, IBM, or whomever.

MS's problem is the reality, not the perception

[mbeckman (645148)]

Microsoft's probem isn't the public perception that it has security problems. It's concrete, measurable, reality that thorns their side. It's Microsoft who floated the "Windows get hacked because its a bigger target" fantasy. But you can take a Mac out of the box and scan it and find zero open ports. A Windows machine has more than a dozen. Those ports are open for Bill's benefit, not for the customers'. Bill wants to keep his fingers in every Windows box, and won't give up that capbility in exhange for better security. Yes, the Mac probably still has some OS flaws that hackers could exploit, and thus Apple can't be complacent. But at least Steve isn't holding the door open to let the hacker inside.

Wow, talk about an unassailable position

[hey! (33014)]

it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding

While I agree that every company that sells operating systems should take security seriously, and that having somebody responsible is practically always a prerequisite to being "serious", it's really too bad that people don't seem to absorb a bit more reasoning skill by the time they get out of school.

Sure, Apple's relatively superior security record "may" erode as they start to gain market share and visibility to the black hats. In fact I'd say there's not much room for it to go other than the direction of erosion. However, we don't have any evidence that that anything like a disaster is about to happen. You can posit that terrible things may happen, and nobody can prove you wrong. You could posit that Steve Jobs is the vanguard of an alien mind-control invasion, and nobody could prove that wrong either. These are the sort of things that can only be proved in an affirmative sense: some researcher finds a vulnerabilityin the Mac OS authentication system, or tentacles suddenly springing from Steve's head.

Right now I'd say the biggest problem are the Mac user base's overconfidence. While back in the day, Mac users did struggle quite a bit with viruses, which were oh-so-much more interesting to write for the more advanced Mac platform than for DOS, recently, they're getting a bit cocky. They're not as used to the security patch grind as the people running Windows.

Security Czar role will fit in well in Apple

[dwalsh (87765)]

He will be able to work closely with the Quality Emperor. Both ultimately report to the Development Shogun. His office is just down the hall from the Usability Kaiser.

Every week, they hold a cross group meeting with the Sultan of Marketing, the Sales Duchess, and the Distribution Führer. They all are answerable to the Grand Baron of Charging More for Stuff because it is Shiny (he prefers people call him Tim, for brevity).

The wrong perspective.

[keilinw (663210)]

I've examined and compared the security features of operating systems for many years now and I can tell you one thing for certain. No "useful" operating system is invulnerable... and this includes Mac OS X, regardless of what hardware it is running on.

Of course, you could argue that it be completely locked down with no keyboard or connection to the Internet, etc... but this would be a completely moot point.

With this in mind lets consider the overall design of the security subsystem. Apple Mac OS X is much better DESIGNED than Windows in its current state. I won't delve into detail about protected memory, access controls, permissions, default configurations, open ports, etc... but out of the box Mac OS X is more "security minded" that Microsoft's Windows.

Now, keep in mind that things ARE changing. No matter how much heat Microsoft takes they are still managing to improve the quality of their product. Windows XP is a far superior product (security wise) than was 98 or ME... and it appears that the next version of Windows is even more security conscious.

In conclusion, people should not "judge" an OS based on the potential for it to have problems... they all will. Mac OS X has enjoyed a reputation for safety that is based on many factors (including having a small market share). However, the bottom line is that it is very "security aware" and has the potential for you to lock it down even more... and this is the right perspective to look at.

Matt Wong
http://www.themindofmatthew.com [themindofmatthew.com]

We need to defend against scare tactics

[cocoamix (560647)]

from a group secretly funded by Microsoft who call themselves "OS X Veterans for Truth."

Pictures of Jane Fonda on her iMac will be forthcoming.

Just ask Microsoft

[truthsearch (249536)]

Just ask Microsoft.

Or an ex-customer like me [msversus.org].

Perception of course matters to many people. But hopefully reality matters to many more people.

Apple, please... just please... do everything you can to keep your customers' computers safe. That's all I ask. Appoint a CSO or don't, I don't care.

Uhh, personally

[mcc (14761)]

Personally I think they'd be better served by concentrating on improving their security, rather than concentrating on improving their security-related PR.

Analysts and bloggers crowing endlessly about "Apple/Linux/Firefox/whatever don't have better security, they're just smaller" gets attention for a little while, but just let time pass. Eventually people realize they're being cried wolf to. After a few years people will have forgotten the bloggers, but will remember whatever the next major Windows worm incident that gets on the nightly news turns out to be.

Unfortunately, this only works if you really do have better security. And while this article is just talking about media events like the mac mini challenge as if they're all that matters, Apple has had real security problems of late. Whether or not the mac mini challenge was important for real security there are apparently some os x privilidge escalation exploits floating around, and there was that incredibly embarrassing bug [slashdot.org] awhile back where Safari could be tricked into launching a shell script as if it were a .jpg. Exploits based on getting the operating system confused about filetype mismatches are really the kind of thing we should not be seeing in 2006, especially since (1) OS X has had security issues of this exact same type before and (2) this is the exact kind of exploit which is the basis for many Windows e-mail worms. Apple needs to take this seriously.

Taking this seriously does not mean-- as the article suggests-- appointing someone to talk to the press about how great Apple's security is. It means actually fixing the problems, and making some effort to see what other problems might be out there. PR is temporary, and if you do too much of it it can backfire (as people start to assume anything positive they read about your platform is just a result of PR). Real security problems like the filetype bug I mention can impact your reputation for years, no matter how much you try to spin them.

Speaking of which, there was a new security update on Apple Software Update this week. Anyone know what exactly that covered? Is the jpg/sh MIME or whatever problem fixed yet?

personally I'd like to see.....

[joe 155 (937621)]

more information about the security for mac. I think the security is good enough, but (and I know I sound mental) I feel more secure on windows, because even because i might get a virus/spyware I've got pretty good at knowing how to deal with it if I get it and not get it. If I was on mac and got any security problem I'd never know and so it could run for ages...

That said i do want to migrate...

Apple should put up a honeypot.

[FFFish (7567)]

Put up a stock OS X box, with default config, and encourage the blackhat crowd to go for it. Take what they learn, apply it to the system updates, and re-iterate.

Oh please ...

[tbone1 (309237)]

Does anyone really believe that adding more bureaucracy is going to make security better? Somehow I question this being a sufficient, or even necessary, condition.

Business Weak

[Doc Ruby (173196)]

At least with this story we get a peek at how Business Week sees the world. A "Security Czar" job is to create propaganda, not enforce security policies. Appointing such a person is principally "an admission of weakness", not a declaration of strength.

Who do they back on National Security issues? How do their favorite National Security spokesmodels rate?

Might not be in Apple's gameplan.

[ZombieRoboNinja (905329)]

It's my understanding that thus far, Apple has been intentionally downplaying their system's security because they don't want to be seen as taunting hackers. A "security czar" might be seen by Apple as just such a misstep. The last thing they want is a guy standing up at an Apple podium exclaiming how their security is invincible, because that's one sure way to make themselves a bigger target.

Re:I Don't See What all the Fuss is About...

[oberondarksoul (723118)]

If Apple had wanted to move to Windows, they could well have done so a long time ago. They even considered using the NT kernel for the next-gen Mac OS before they settled on NeXTSTEP. Thus far however, they've shown no signs that they're even considering it; and if you look at it, does it make sense? Apple are doing very well producing both the hardware and the software, and the software is definitely considered important to Apple (at the WWDC 2005, Jobs said "the heart of the Mac is its operating system"),

What about U of Wisconsin?

[maggard (5579)]

Welcome to the Intarwebby thing.

Instead of bleating for help howzabout looking up your question for yourself?

"university wisconsin mac challenge" are some good key words.

If you think the topic is of general interest then post back your results.

Re:U of Wisconsin?

[ryanr (30917)]

Turns out he didn't get permission from the university to run a hacking challenge, and had to pull it. Whoops.

Re:Debunked?

[99BottlesOfBeerInMyF (813746)]

The second challenge debunks nothing. One challenge gave shell access, the other didn't.

The second challenge did not debunk the first challenge, it debunked the poorly written and misleading articles about the first challenge by replicating the situation the articles depicted the first challenge as being.

Only one of those actually ended up demonstrating a result.

You can't logically prove a negative. What amount of time is sufficient to show something won't ever happen?

Not to mention that the second challenge was pulled early...

But not because it was hacked. It was pulled for reasons outside the control of the person running it and certainly stood up to more than 30 minutes of attacks, thus the sensationalist articles were debunked.

...and not that I expect someone to give away a remote shell exploit for free to prove a point.

Remote "shell" exploit? Why would it be a shell exploit, necessarily?

I certainly think it is likely there are remote exploits for OS X out there. There are certainly a lot of white hats and other crackers that would love the publicity this could have generated for them. There are also a lot of people that would like to quiet down the small number of uninformed, overzealous fans of OS X that at times can be quite annoying. What this has show is that remote exploits are not common enough that people can demonstrate one to show boat and they are not easy enough to find that they can be found and demonstrated by the white hats in that short a period.

Basically this confirmed what pretty much every security person already has plenty of evidence to support. The point you are missing is that while the original test was somewhat useful, the very poor articles about the original test spread misinformation and FUD that did more damage than the original test did good. It is those articles that this challenge was designed to rebuke and it has done that much at least.

Re:non-incident?

[99BottlesOfBeerInMyF (813746)]

Could someone please enlighten me as to why it is possible for a least privileged user account to gain root without the consent of the owner to be classed as a "non-incident"?

It isn't a non-incident, but neither is it a remote exploit. Apple fixes 5-10 local escalations a month in their security updates, many of which are found by outside security people. Thus exposing one more is not exactly news. This is the same for Linux or most any other OS not designed to be ultra-secure. (Except Windows which has