Two Black Hat Talks On Apple Security Cancelled

An anonymous reader writes "Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

Marketing?

[KDR_11k (778916)]

Sounds like the marketing policy is "pretend there are no security issues". Hey, it seems to work.

Re:Marketing?

[mikael_j (106439)]

Sounds like just about every large ISP I've had the "pleasure" of working with. A small ISP's president will go issue a press release saying "Lightning took out two of our DSLAMs last night but it will be fixed ASAP", they'll most likely also record an automated message informing customers calling tech support about this. A large ISP OTOH will most likely keep quiet as long as possible, then issue a small notice on their website stating "Some of our customers are currently experiencing technical difficulties, our intarweb experts are investigating the problem and hope to have it fixed soon" and no information to customers calling tech support other than "There are 173 customers ahead of you, the wait time is 2 hours and 12 minutes".

/Mikael

Re:

[piltdownman84 (853358)]

Sounds like my ISP. They never except any blaim. A few months ago my Internet goes out. I call me brother 4 blocks away and his is down as well. I verify with a coworker that his Internet is down as well. I then call tech support wait on hold for thirty minutes. When I ask when Internet will be back in my area they claim everything is fine and try to talk me through the "check your modem, are you using a router? etc.." lines. After trying to explain that the problem isn't just me the tech insists that

Re:

[catmistake (814204)]

well, not that I'm in love with it, but maybe its "we'll cross that bridge when we come to it."

Re:Marketing?

[fortyonejb (1116789)]

It's somewhat of a sad fact that this has been considered as fair and normal practice in the industry. Maybe because no real "safety" issues can be dragged into the mess, people who are not in the know simply do not care.

Just to make sure i'm /. approved, lets use the highly venerated auto industry. When product issues come up, auto makers must make their shortcomings public, and even issue recalls to fix said problems.

Just because my PC doesn't explode when hit from the rear, doesn't mean the shortcomings are any less valid. While of course marketing does not want anyone to know anything bad could ever happen with a Mac, it would be better for the company and its clients to have a more open dialog. Pretending there are no holes does not fill them.

Re:Marketing?

[billcopc (196330)]

When product issues come up, auto makers must make their shortcomings public

Um, no. Recalls are a business strategy like any other. The lawyers sit down with the accountants, figure out total costs for a recall and a class-action lawsuit, and pick the cheaper of the two.

You'd be shocked to find out how often the lawsuit actually ends up cheaper. That's largely because class-action settlements have a very narrow scope, and only a small portion of the customer base will actually join the class.

Re:Marketing?

[porcupine8 (816071)]

The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?

Re:

[Poltras (680608)]

The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?

Damn, you forgot the first rule!

Re:

[falcon5768 (629591)]

Well the issue is from a marketing perspective it DOES look bad, but from USER perspective it looks good, but only to those of us in the industry who care, which is NOT who marketing is going after.

Re:

[Truekaiser (724672)]

thats because job's is a egomaniac. any flaw means there was a mistake and egomaniacs think they never make mistakes.

Re:Marketing?

[Bloodhound Alpha (1335331)]

The Marketing policy, not the company's policy. Obviously the company releases patches, but marketing, in relation to the public, pretends there are no issues. Quite a difference really.

Re:Marketing?

[Goaway (82658)]

Apple is quiet about everything. This is not a case of Apple trying to cover up security problems, it's merely that Apple talkes about nothing, ever, and that includes security policies.

Re:Marketing?

[Bloodhound Alpha (1335331)]

Indeed, that is their strategy. It does serve though, to cover up security problems, and get people used to them acting secretive because, well, they are secretive.

Re:Marketing?

[ScrewMaster (602015)]

'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

I'd say it's more likely that legal got wind of it, not marketing.

Re:

[alex4u2nv (869827)]

Its a very good practice to leave holes open for script kiddies.

--
Hide the problem until there's an avalanche in your face?

Re:

[Achromatic1978 (916097)]

Shades of MS my ass. Cite, please: "last time MSFT pulled a security talk from a conference".

Idiot.

Sounds very logic to me.

[by Anonymous Coward]

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.
A self-acclaimed public spokesperson respresenting your company about a subject without prior permission?

You must be a veteran here but new on the job market.

Re:Sounds very logic to me.

[vertinox (846076)]

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.

For a term holder then yes, but if you are a long term, then bad PR like this isn't desirable for company image over the course of several years.

Besides, just because you don't disclose the exploit, doesn't mean it goes away.

Re:Sounds very logic to me.

[lostmongoose (1094523)]

The problem is not that they need permission. The problem is that they need permission from *marketing*. This should be the legal team's job. When you let marketing make these decisions, management (not the engineers, obviously) have effectively said "There are no flaws in our product and if you say there are then we're wrong and we all know we're never wrong."

Shhh, if we don't admit anything

[CrypticSpawn (719164)]

I guess, Apple is still very much old school; when it comes to admitting their mistakes. Or they just might believe in security thru obscurity. Either way this move, put them in the lime light even more. Great work marketing. Someone deserves to be fired...

Re:Shhh, if we don't admit anything

[Sancho (17056)]

I wish there was an "incomprehensible grammar" mod....

Steve is not impressed

[bxwatso (1059160)]

This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this.

I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much.

Re:

[eclectic4 (665330)]

"This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this."

Why? I didn't read anywhere in this article that stated Mac OS X is less secure than Windows... as it would be just plain silly.

"I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much."

You may be right. But it doesn't change the fact that more and more consumers

Re:Steve is not impressed

[bxwatso (1059160)]

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS. In that regard, MS is more proactive. Personally, I find both OS's acceptable regarding security.

I do think that a lot of people are turned off by the size of MS more than the quality of its products. A lot of people want something different to express themselves. Even when Apple truly sucked (and it did), a fair number of people stuck with them presumably to distance themselves from the giant and evil MS.

Re:Steve is not impressed

[Smurf (7981)]

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS.

Probably. But do take into account that the engineers (i.e., the people who actually KNOW the technical details) WANTED to have the discussion.

The decision to cancel it came from marketing, those who don't understand the technical details but are reasonably afraid that someone might pull a rabbit from their hat and make Macs look bad.

Re:

[porcupine8 (816071)]

Not necessarily - if they are more secure than Vista, but less secure than the current public perception, then why would they want to bring public perception of their security down, even if it's still higher than Vista?

Re:

[azav (469988)]

You are absolutely correct. It still sucks, it just sucks less.

I remember the Apple internal code name for their sound manager in or around 1989. It was called Barking Pumpkin and their motto was "it just sucks less."

Apple Marketing is the "best".

[by Anonymous Coward]

Apple's marketing is genius.

A few years back, they were talking up how FileVault (home folder encryption) uses AES-128 encryption, implying that it would take longer to crack than the age of the universe.
http://www.apple.com/sg/macosx/features/filevault/

Meanwhile, the password could often be found in plain text on the hard drive in swap files. This was back before encrypting swap was an option.

It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/

I guess the default account having root access is sort of an industry standard given Windows. Phrases like "wise architectural decisions" are relative, so not strictly false. I won't touch "intelligent design".

But saying, and I quote, "The Mac OS X administrator account, unlike the Windows admin account, disables access to the core functions of the operating system." is an outright lie (see above "root privilege escalation feature").

Re:

[Dog-Cow (21281)]

I've always been prompted for my password when performing admin actions under OS X.

There are still some Apple-related talks left:

[secmartin (1336705)]

While it's pretty sad to hear that their security team is not allowed to speak, there are still two talks about Apple products left: Jesse Dâ(TM)Aguannoâ(TM)s talk about rootkits for OS X, and Petko D. Petkov who announced he might provide some details about a 0-day attack against Quicktime.

I haven't been fucked like that since the NextCube

[billcopc (196330)]

Rule #1: You do not talk about Apple flaws
Rule #2: You DO NOT talk about Apple flaws
Rule #3: If someone says "stop" or goes limp, taps out we make him the CEO
Rule #4: Only two sentences to an argument
Rule #5: One argument at a time
Rule #6: No punch, no daiquiris
Rule #7: Cover-ups will go on as long as they have to
Rule #8: If this is your first night at Apple flaws, you HAVE to swallow

Not Surprised

[by Anonymous Coward]

I'm not surprised really to see a corporation sponsored "Hacker" conference have talks canceled due to confidentiality agreements.

I've yet to hear a real hacker conference have their talks canceled due to something like that. Normally cancellations involve the speaker being escorted out in handcuffs.

But honestly there are far better, and more hacker-centric conferences out there than Black Hat. Conferences that come to mind are Chaos Communications Camp (or Chaos Communications Congress in the winter), Def

Here's a serious flaw with FileVault

[azav (469988)]

1. Create two accounts on your mac. One is a throaway with fileVault turned on.
2. Log in to both and switch to your non FileVault account.
3. Copy a large enough chunk of data to the drop box of the FileVault user so that you will ALMOST fill up the boot drive.
4. Duplicate that data to another folder on your boot drive.
5. Wait till the hard drive fills up and you have 0 K on the drive.
6. Launch Safari and load a few web pages with lots of rotating ads. This is to guarantee that more data is being brought onto the hard drive.

At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.

Solution:

[e4g4 (533831)]

chmod go-w ~/Public/Drop\ Box

Admittedly - it is a problem, but it certainly has a workaround.

Re:

[bill_mcgonigle (4333)]

Here's another: You can't use Time Machine properly if you use FileVault. Backup or encryption, pick one.

Re:

[lukas84 (912874)]

As i understood it, one user can fuck up another users account, without the need for administrative privileges.

This *is* an issue.

The sad thing is

[ILongForDarkness (1134931)]

Apple makes pretty good products. But in some ways their business practices are worse than Microsofts. They are so secretive that it is scary. They add to it by attacking the PC industry and saying how their product is better but all they will give you for information is press releases. At least MS is finally being more open with want is going on in the background with things like Channel 9 and versus blogs. There is a line where you have to protect company interests but it shouldn't compromise the customers' ability to make an informed choice.

Re:

[ScrewMaster (602015)]

I'd say it's more like Apple is dependent upon the consumers in their chosen market segment being (to a certain degree) computer illiterate. And let's face it, computer illiterates aren't likely to make an informed choice when it comes to buying a computer or choosing an OS. All they can do is follow marketing fluff about simplicity and ease-of-use.

Now, that's no dig at Apple's products ... by and large they deliver on what their market-droids promise. It's just that Apple made the conscious choice to ta

Perception is that Apple is lax on security

[synthespian (563437)]

'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

Then Apple marketing people aren't very smart, are they? Because it sure isn't helping the perception that Apple is lax on security.

Marketing Rules

[Nom du Keyboard (633989)]

Obviously Marketing rules at Apple. And you're surprised -- why?

One day in Vegas

[EEPROMS (889169)]

Hacker "Hai dude your OS is insecure"
Apple "No, it is perfectly secure"
Hacker" Seriously, duuuude, watch me hack your machine"
Apple "Can't be done, our software was blesses by the gods of Steve"
Hacker" Duude, Im not kidding Im in your machine, watch as I buy some child porn with your credit card"
Apple "Ha, all a figment of your imagination, our marketing department says we have the best operating system in existence"
FBI "excuse me sir I would like to talk to you regarding the purchase of illicit chil

Misalignment with Snow Leopard

[jjgm (663044)]

This is a stumbling block on Apple's road to the enterprise. That's out of alignment with the technology plan for Snow Leopard server, which includes many new features [apple.com] directly aimed at supporting the mid-sized enterprise.

Combine that with the general trend towards browser-as-client, and with the advent of VMware Fusion and Parallels, and at a time when there's no compelling case to deploy Vista during a desktop refresh. Apple have significant position to attack the enterprise desktop & backend.

However:

Quote out-of-context

[stewbacca (1033764)]

The "marketing got wind of it" quote from the summary is attributed to the Blackhat organizer, not Apple's marketing department. There's you daily dose of slashdot bias for ya.

Re:

[MyLongNickName (822545)]

preferred method should be beating to death by a stick.
My guess is you lack the upper body strength to pick up a stick.

Re:

[Macthorpe (960048)]

And the brainpower to work out which end of the stick to hit someone with...

Bill Hicks On Marketing

[conner_bw (120497)]

R.I.P. [youtube.com]

Re:

[PC and Sony Fanboy (1248258)]

Profit only goes to the black hat accepting money to shut up, so apple doesn't have to fix things right now.

Re:

[dangitman (862676)]

It's Apple. Shouldn't that be:

1. Profit!
2. ???
3. There is no step three.

Re:

[aliquis (678370)]

Unless:

1. Profit!
2. Steve Jobs quit/dies/..
3. ???

Personally I'd be happy with:
1. Flash dies (if not possible Adobe release better flash version for macs.)
2. Apple "get" gaming.
3. Apple sell hardware for a decent price.
4. Apple sell well-speced machines.
5. Apple focus on OS X and not lots of other bullshit.

But maybe that's just me ;)

If nothing of the above would be possible (and it's not very likely to happen) this would work to:
1. The free software desktops gets some commercial quality software in all genre

Re:

[Tom90deg (1190691)]

Well, of course! Apple is the underdog. Never mind the fact that is has the number one selling music player, and the market share is increasing, and that iTunes is extremely popular, and people are killing others for a iPhone...

Oh wait. Maybe Apple ISN'T the underdog. Maybe its practices are just the same as any other large company that wants to make a profit. It's no different from any others in that respect, in fact, it may be worse, as people excuse Apple for a lot, as they still think of it as the under