Forgot your password?
typodupeerror
Security Businesses Apple

Two Black Hat Talks On Apple Security Cancelled 125

Posted by kdawson
from the can't-say-that dept.
An anonymous reader writes "Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."
This discussion has been archived. No new comments can be posted.

Two Black Hat Talks On Apple Security Cancelled

Comments Filter:
  • Marketing? (Score:5, Insightful)

    by KDR_11k (778916) on Sunday August 03, 2008 @08:06AM (#24455221)

    Sounds like the marketing policy is "pretend there are no security issues". Hey, it seems to work.

    • Re:Marketing? (Score:5, Informative)

      by mikael_j (106439) on Sunday August 03, 2008 @08:47AM (#24455401)

      Sounds like just about every large ISP I've had the "pleasure" of working with. A small ISP's president will go issue a press release saying "Lightning took out two of our DSLAMs last night but it will be fixed ASAP", they'll most likely also record an automated message informing customers calling tech support about this. A large ISP OTOH will most likely keep quiet as long as possible, then issue a small notice on their website stating "Some of our customers are currently experiencing technical difficulties, our intarweb experts are investigating the problem and hope to have it fixed soon" and no information to customers calling tech support other than "There are 173 customers ahead of you, the wait time is 2 hours and 12 minutes".

      /Mikael

      • Sounds like my ISP. They never except any blaim. A few months ago my Internet goes out. I call me brother 4 blocks away and his is down as well. I verify with a coworker that his Internet is down as well. I then call tech support wait on hold for thirty minutes. When I ask when Internet will be back in my area they claim everything is fine and try to talk me through the "check your modem, are you using a router? etc.." lines. After trying to explain that the problem isn't just me the tech insists that
        • by NateTech (50881)

          People don't realize that cheap service comes with no guarantees. Step up to business-class service (from any carrier, or cable company) and get Service Level Agreements in writing -- and you get money back in your pocket every time the line goes down.

    • well, not that I'm in love with it, but maybe its "we'll cross that bridge when we come to it."

    • Re:Marketing? (Score:5, Interesting)

      by fortyonejb (1116789) on Sunday August 03, 2008 @10:18AM (#24455823)
      It's somewhat of a sad fact that this has been considered as fair and normal practice in the industry. Maybe because no real "safety" issues can be dragged into the mess, people who are not in the know simply do not care.

      Just to make sure i'm /. approved, lets use the highly venerated auto industry. When product issues come up, auto makers must make their shortcomings public, and even issue recalls to fix said problems.

      Just because my PC doesn't explode when hit from the rear, doesn't mean the shortcomings are any less valid. While of course marketing does not want anyone to know anything bad could ever happen with a Mac, it would be better for the company and its clients to have a more open dialog. Pretending there are no holes does not fill them.
      • Re:Marketing? (Score:4, Insightful)

        by billcopc (196330) <vrillco@yahoo.com> on Sunday August 03, 2008 @10:32AM (#24455903) Homepage

        When product issues come up, auto makers must make their shortcomings public

        Um, no. Recalls are a business strategy like any other. The lawyers sit down with the accountants, figure out total costs for a recall and a class-action lawsuit, and pick the cheaper of the two.

        You'd be shocked to find out how often the lawsuit actually ends up cheaper. That's largely because class-action settlements have a very narrow scope, and only a small portion of the customer base will actually join the class.

    • Re: (Score:3, Insightful)

      by falcon5768 (629591)
      Well the issue is from a marketing perspective it DOES look bad, but from USER perspective it looks good, but only to those of us in the industry who care, which is NOT who marketing is going after.
    • Re: (Score:2, Insightful)

      by Truekaiser (724672)

      thats because job's is a egomaniac. any flaw means there was a mistake and egomaniacs think they never make mistakes.

    • When will any of the computer companies understand: what isn't said is just as bad, as what is said?

      Hello, Marketing and PR 101??

      The very folks who know about security flaws, won't get much more insight in the "how and what", as they already did the probing to find out. But the general public can learn how a company really treats this aspect in their organization. End users r-e-a-l-l-y need to know that such companies do understand that security flaws aren't something to put on the backburner to fix, but to

    • by Ilgaz (86384)

      With a community like this (yes, I use mac) it will work.

      Of course the über trolls and PR on "other side" makes it worse and gives community the much needed false trust. You figure out a very evil security breach on OS X, it has been verified by Apple too but... You give the job to PR team and they come up with "Mp3 virus!!!" stupidness.

      How would people trust your alerts (most of are real) later? Or DOS'ing people's default browser via jp2 exploit just to show off? Anyway, I just say we need a really w

  • by Anonymous Coward on Sunday August 03, 2008 @08:18AM (#24455265)

    From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.
    A self-acclaimed public spokesperson respresenting your company about a subject without prior permission?

    You must be a veteran here but new on the job market.

    • by vertinox (846076) on Sunday August 03, 2008 @09:12AM (#24455499)

      From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.

      For a term holder then yes, but if you are a long term, then bad PR like this isn't desirable for company image over the course of several years.

      Besides, just because you don't disclose the exploit, doesn't mean it goes away.

    • by lostmongoose (1094523) on Sunday August 03, 2008 @09:27AM (#24455577)
      The problem is not that they need permission. The problem is that they need permission from *marketing*. This should be the legal team's job. When you let marketing make these decisions, management (not the engineers, obviously) have effectively said "There are no flaws in our product and if you say there are then we're wrong and we all know we're never wrong."
      • When you let marketing make these decisions, management (not the engineers, obviously) have effectively said "There are no flaws in our product and if you say there are then we're wrong and we all know we're never wrong."

        This is APPLE you are writing about. Apple is a gigantic marketing company wrapped around a very tightly controlled core of engineers. There are pockets of other groups (legal, manufacturing, etc) inside the marketing layer but those too are tightly controlled. Nothing escapes the marketing layer. Nothing.

        Not that there's anything wrong with that, mind you.

  • Again, this is the perfect example of not admitting that there is a "problem" and willing to fix it ... SB
  • I guess, Apple is still very much old school; when it comes to admitting their mistakes. Or they just might believe in security thru obscurity. Either way this move, put them in the lime light even more. Great work marketing. Someone deserves to be fired...
  • by bxwatso (1059160) on Sunday August 03, 2008 @09:40AM (#24455641)
    This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this.

    I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much.
    • Re: (Score:2, Interesting)

      by eclectic4 (665330)
      "This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this."

      Why? I didn't read anywhere in this article that stated Mac OS X is less secure than Windows... as it would be just plain silly.

      "I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much."

      You may be right. But it doesn't change the fact that more and more consumers
      • by bxwatso (1059160) on Sunday August 03, 2008 @11:19AM (#24456261)
        My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS. In that regard, MS is more proactive. Personally, I find both OS's acceptable regarding security.

        I do think that a lot of people are turned off by the size of MS more than the quality of its products. A lot of people want something different to express themselves. Even when Apple truly sucked (and it did), a fair number of people stuck with them presumably to distance themselves from the giant and evil MS.
        • by Smurf (7981) on Sunday August 03, 2008 @06:10PM (#24459817)

          My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS.

          Probably. But do take into account that the engineers (i.e., the people who actually KNOW the technical details) WANTED to have the discussion.

          The decision to cancel it came from marketing, those who don't understand the technical details but are reasonably afraid that someone might pull a rabbit from their hat and make Macs look bad.

          • by WNight (23683)

            Yes, that is the knee-jerk reaction you'd expect from marketing.

            The problem is that it's overriding Engineering's attempts to actually improve the product.

            Maybe someone should be afraid that a hacker WILL pull a rabbit from his hat, and use it to demonstrate the flaws of their security model. A code-red level worm, now, would be a huge market killer.

        • Re: (Score:3, Interesting)

          by porcupine8 (816071)
          Not necessarily - if they are more secure than Vista, but less secure than the current public perception, then why would they want to bring public perception of their security down, even if it's still higher than Vista?
        • I do think that a lot of people are turned off by the size of MS more than the quality of its products.

          Or maybe it's their mediocre products and utter disregard for their customers and partners that turns people off?

        • by Troglodyt (898143)

          When you say "if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS" you're assuming the marketing department are being rational.

          • by bxwatso (1059160)
            Fair enough. Marketing is society's solution for what to do with psychopaths and morons.

            That being said, I suspect Steve J. made this decision.
      • Re: (Score:3, Funny)

        by azav (469988)

        You are absolutely correct. It still sucks, it just sucks less.

        I remember the Apple internal code name for their sound manager in or around 1989. It was called Barking Pumpkin and their motto was "it just sucks less."

        • by azav (469988)

          Oh my god. I'm reporting that the software is not perfect and stating a historical precedent and I'm marked a Troll? You've got to be kidding me.

  • by Anonymous Coward on Sunday August 03, 2008 @09:55AM (#24455703)

    Apple's marketing is genius.

    A few years back, they were talking up how FileVault (home folder encryption) uses AES-128 encryption, implying that it would take longer to crack than the age of the universe.
    http://www.apple.com/sg/macosx/features/filevault/

    Meanwhile, the password could often be found in plain text on the hard drive in swap files. This was back before encrypting swap was an option.

    It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
    http://www.apple.com/sg/macosx/features/security/

    I guess the default account having root access is sort of an industry standard given Windows. Phrases like "wise architectural decisions" are relative, so not strictly false. I won't touch "intelligent design".

    But saying, and I quote, "The Mac OS X administrator account, unlike the Windows admin account, disables access to the core functions of the operating system." is an outright lie (see above "root privilege escalation feature").

    • by Dog-Cow (21281)

      I've always been prompted for my password when performing admin actions under OS X.

    • It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
      http://www.apple.com/sg/macosx/features/security/ [apple.com]

      I can't see that anywhere in the link you're citing, could you please point out where it says that? To have a proper discussion about things we need facts not unfounded accusations. I don't have any problem believing Apple might have done something like that but I need a proper link.

  • While it's pretty sad to hear that their security team is not allowed to speak, there are still two talks about Apple products left: Jesse Dâ(TM)Aguannoâ(TM)s talk about rootkits for OS X, and Petko D. Petkov who announced he might provide some details about a 0-day attack against Quicktime.
  • Rule #1: You do not talk about Apple flaws
    Rule #2: You DO NOT talk about Apple flaws
    Rule #3: If someone says "stop" or goes limp, taps out we make him the CEO
    Rule #4: Only two sentences to an argument
    Rule #5: One argument at a time
    Rule #6: No punch, no daiquiris
    Rule #7: Cover-ups will go on as long as they have to
    Rule #8: If this is your first night at Apple flaws, you HAVE to swallow

  • by Anonymous Coward

    I doesn't surprise me Apple's marketing team doesn't allow comment on practices, fixes or developments... they don't even get back to the people finding issues like Jon Longoria on the Spaces theoretical vulnerability. I emailed him to see if he had gotten comment and was told noone would talk with him to discuss the problem or attempt a fix. RE: http://thereformed.org/2008/05/03/theory-apple-osx-spaces-vulnerable/ . I don't really get wtf is wrong with Apple, I think they're locking up under the strain of

  • Not Surprised (Score:2, Interesting)

    by Anonymous Coward

    I'm not surprised really to see a corporation sponsored "Hacker" conference have talks canceled due to confidentiality agreements.

    I've yet to hear a real hacker conference have their talks canceled due to something like that. Normally cancellations involve the speaker being escorted out in handcuffs.

    But honestly there are far better, and more hacker-centric conferences out there than Black Hat. Conferences that come to mind are Chaos Communications Camp (or Chaos Communications Congress in the winter), Def

    • by the_B0fh (208483)

      You've not been to defcon, have you? Blackhat's just a paid prequel to defcon - all the folks who talk at blackhat typically talk at defcon as well.

  • by azav (469988) on Sunday August 03, 2008 @11:39AM (#24456433) Homepage Journal

    1. Create two accounts on your mac. One is a throaway with fileVault turned on.
    2. Log in to both and switch to your non FileVault account.
    3. Copy a large enough chunk of data to the drop box of the FileVault user so that you will ALMOST fill up the boot drive.
    4. Duplicate that data to another folder on your boot drive.
    5. Wait till the hard drive fills up and you have 0 K on the drive.
    6. Launch Safari and load a few web pages with lots of rotating ads. This is to guarantee that more data is being brought onto the hard drive.

    At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.

    • Solution: (Score:3, Informative)

      by e4g4 (533831)
      chmod go-w ~/Public/Drop\ Box

      Admittedly - it is a problem, but it certainly has a workaround.
      • by Ilgaz (86384)

        So Apple could add that sh thing to recent security updates postflight script, it would take like 100 bytes?

        That is the issue. It was exact same command to secure Input Managers in users home directory input managers on Tiger. I did it (as I have legit stuff), everything worked flawlessly. Why didn't they do it? They later admitted issue and made Input Managers function in /Library/Input Managers owned by root on Leopard.

        A script like TIGER on Linux could really make OS X almost rock secure but developers a

    • Re: (Score:3, Informative)

      by bill_mcgonigle (4333) *

      Here's another: You can't use Time Machine properly if you use FileVault. Backup or encryption, pick one.

      • by azav (469988)

        What's the nature of the flaw? How does it fail?

        • What's the nature of the flaw? How does it fail?

          It won't back anything up if you're logged in, and then if you log out, it'll only backup the disk image, not the files inside it. Which pretty much defeats the whole point of the thing.

  • The sad thing is (Score:5, Insightful)

    by ILongForDarkness (1134931) on Sunday August 03, 2008 @11:54AM (#24456571)
    Apple makes pretty good products. But in some ways their business practices are worse than Microsofts. They are so secretive that it is scary. They add to it by attacking the PC industry and saying how their product is better but all they will give you for information is press releases. At least MS is finally being more open with want is going on in the background with things like Channel 9 and versus blogs. There is a line where you have to protect company interests but it shouldn't compromise the customers' ability to make an informed choice.
  • 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

    Then Apple marketing people aren't very smart, are they? Because it sure isn't helping the perception that Apple is lax on security.

    • by mjwx (966435)

      Then Apple marketing people aren't very smart, are they? Because it sure isn't helping the perception that Apple is lax on security.

      On the contrary,

      Apple has always been like this, OS X has always practised security through obscurity and used takedown orders and NDA's to hide flaws. The simple fact that people are only just beginning to see this is proof of the great job that Apple marketing has been doing. As always it's impossible to carry on a lie forever.

  • Obviously Marketing rules at Apple. And you're surprised -- why?
  • Hacker "Hai dude your OS is insecure"
    Apple "No, it is perfectly secure"
    Hacker" Seriously, duuuude, watch me hack your machine"
    Apple "Can't be done, our software was blesses by the gods of Steve"
    Hacker" Duude, Im not kidding Im in your machine, watch as I buy some child porn with your credit card"
    Apple "Ha, all a figment of your imagination, our marketing department says we have the best operating system in existence"
    FBI "excuse me sir I would like to talk to you regarding the purchase of illicit chil
  • This is a stumbling block on Apple's road to the enterprise. That's out of alignment with the technology plan for Snow Leopard server, which includes many new features [apple.com] directly aimed at supporting the mid-sized enterprise.

    Combine that with the general trend towards browser-as-client, and with the advent of VMware Fusion and Parallels, and at a time when there's no compelling case to deploy Vista during a desktop refresh. Apple have significant position to attack the enterprise desktop & backend.

    However:

    • Stopped reading at [insert buzzword here], but you are correct--presenting themselves as the most closed option available will not help Apple attract enterprise customers.
  • Hackers: We're gonna present security issues with Apple solutions at the Black Hat Conference in Vegas! Its going to be great!

    Apple Marketing: *Waves hand*...There are no security issues with Apple products.

    Hackers: There are no security issues with Apple products.

    Apple Marketing: You will withdraw your presentations.

    Hackers: We will withdraw our presentations.

    Apple Marketing: You want to be in Apple's "PC and Mac" TV ads.

    Hackers: We want to be...No we don't!

  • Information is very clear... sounds interesting.. Thanks friend:) regards, www.elechub.com
  • I find it amusing that the Darwin kernel and MacOS X system software evolved from OpenBSD, another secretive project run by a paranoid lunatic.
    • (completely ignoring any issues of intentional inaccuracy)

      The difference between DeRaadt and Jobs is how they want things fixed.

      DeRaadt gets the issue solved. Jobs takes a page from Cisco and IBM by sending lawyers until the person is gone from the earth.

      • I won't ignore that the OpenBSD team actually gets things done, but both are more or less run on a dictatorial model and developers who disagree with that model quickly find themselves on the outside looking in.
  • Quote out-of-context (Score:3, Interesting)

    by stewbacca (1033764) on Monday August 04, 2008 @01:16PM (#24469271)
    The "marketing got wind of it" quote from the summary is attributed to the Blackhat organizer, not Apple's marketing department. There's you daily dose of slashdot bias for ya.

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]

Working...