Two Black Hat Talks On Apple Security Cancelled 125
An anonymous reader writes "Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."
Marketing? (Score:5, Insightful)
Sounds like the marketing policy is "pretend there are no security issues". Hey, it seems to work.
Re:Marketing? (Score:5, Informative)
Sounds like just about every large ISP I've had the "pleasure" of working with. A small ISP's president will go issue a press release saying "Lightning took out two of our DSLAMs last night but it will be fixed ASAP", they'll most likely also record an automated message informing customers calling tech support about this. A large ISP OTOH will most likely keep quiet as long as possible, then issue a small notice on their website stating "Some of our customers are currently experiencing technical difficulties, our intarweb experts are investigating the problem and hope to have it fixed soon" and no information to customers calling tech support other than "There are 173 customers ahead of you, the wait time is 2 hours and 12 minutes".
/Mikael
Re: (Score:2)
Re: (Score:2)
People don't realize that cheap service comes with no guarantees. Step up to business-class service (from any carrier, or cable company) and get Service Level Agreements in writing -- and you get money back in your pocket every time the line goes down.
Re: (Score:2)
Unless someone h
Re: (Score:2)
well, not that I'm in love with it, but maybe its "we'll cross that bridge when we come to it."
Re:Marketing? (Score:5, Interesting)
Just to make sure i'm
Just because my PC doesn't explode when hit from the rear, doesn't mean the shortcomings are any less valid. While of course marketing does not want anyone to know anything bad could ever happen with a Mac, it would be better for the company and its clients to have a more open dialog. Pretending there are no holes does not fill them.
Re:Marketing? (Score:4, Insightful)
When product issues come up, auto makers must make their shortcomings public
Um, no. Recalls are a business strategy like any other. The lawyers sit down with the accountants, figure out total costs for a recall and a class-action lawsuit, and pick the cheaper of the two.
You'd be shocked to find out how often the lawsuit actually ends up cheaper. That's largely because class-action settlements have a very narrow scope, and only a small portion of the customer base will actually join the class.
Re:Marketing? (Score:4, Insightful)
Re: (Score:3, Funny)
The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?
Damn, you forgot the first rule!
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
thats because job's is a egomaniac. any flaw means there was a mistake and egomaniacs think they never make mistakes.
Re: (Score:1)
When will any of the computer companies understand: what isn't said is just as bad, as what is said?
Hello, Marketing and PR 101??
The very folks who know about security flaws, won't get much more insight in the "how and what", as they already did the probing to find out. But the general public can learn how a company really treats this aspect in their organization. End users r-e-a-l-l-y need to know that such companies do understand that security flaws aren't something to put on the backburner to fix, but to
Re: (Score:2)
With a community like this (yes, I use mac) it will work.
Of course the über trolls and PR on "other side" makes it worse and gives community the much needed false trust. You figure out a very evil security breach on OS X, it has been verified by Apple too but... You give the job to PR team and they come up with "Mp3 virus!!!" stupidness.
How would people trust your alerts (most of are real) later? Or DOS'ing people's default browser via jp2 exploit just to show off? Anyway, I just say we need a really w
Re:Marketing? (Score:5, Insightful)
Re:Marketing? (Score:5, Insightful)
Apple is quiet about everything. This is not a case of Apple trying to cover up security problems, it's merely that Apple talkes about nothing, ever, and that includes security policies.
Re:Marketing? (Score:5, Insightful)
Re:Marketing? (Score:4, Interesting)
I'd say it's more likely that legal got wind of it, not marketing.
Re: (Score:2)
It is a stupid thing especially considering OS X updates. Should I social engineer people to get a clue if my Nvidia driver managing to make WindowManager use 40% CPU on any Aqua Progress Bar is updated?
"This issue is fixed in next release", "We will include updated drivers in next release" and even "You are full of crap, there is no such thing" would work.
Re: (Score:2)
Its a very good practice to leave holes open for script kiddies.
--
Hide the problem until there's an avalanche in your face?
Re: (Score:2)
But all apple does is marketing, the entire company revolves around the impression it creates of its products not the product itself. Put simply, marketing policy is company policy.
Re: (Score:2)
The Marketing policy, not the company's policy
You do not understand Apple. They are a marketing-driven company, to the extent that marketing makes the company decisions. You can't push anything through if they refuse to give their blessing.
Re: (Score:1)
Or releasing patches that don't fix what they say they fix? Could've sworn I've seen that somewhere with some company recently [slashdot.org]
Re: (Score:2)
No, that would entail denying and not fixing nor releasing patches. But, Apple do that, you zealous troll.
Why deny something nobody is talking about? And it's not like the security team was going to reveal all of the latest 0 days, they would be talking about stuff like how they learn about 0 days, and their reaction time to exploits, their methods of implementing different patches, policies, priorities, etc;.
Re: (Score:2, Insightful)
Idiot.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's Apple. Shouldn't that be:
Re: (Score:2)
Unless:
1. Profit!
2. Steve Jobs quit/dies/..
3. ???
Personally I'd be happy with:
1. Flash dies (if not possible Adobe release better flash version for macs.)
2. Apple "get" gaming.
3. Apple sell hardware for a decent price.
4. Apple sell well-speced machines.
5. Apple focus on OS X and not lots of other bullshit.
But maybe that's just me ;)
If nothing of the above would be possible (and it's not very likely to happen) this would work to:
1. The free software desktops gets some commercial quality software in all genre
Sounds very logic to me. (Score:4, Insightful)
From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.
A self-acclaimed public spokesperson respresenting your company about a subject without prior permission?
You must be a veteran here but new on the job market.
Re:Sounds very logic to me. (Score:5, Insightful)
From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.
For a term holder then yes, but if you are a long term, then bad PR like this isn't desirable for company image over the course of several years.
Besides, just because you don't disclose the exploit, doesn't mean it goes away.
Re:Sounds very logic to me. (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2)
When you let marketing make these decisions, management (not the engineers, obviously) have effectively said "There are no flaws in our product and if you say there are then we're wrong and we all know we're never wrong."
This is APPLE you are writing about. Apple is a gigantic marketing company wrapped around a very tightly controlled core of engineers. There are pockets of other groups (legal, manufacturing, etc) inside the marketing layer but those too are tightly controlled. Nothing escapes the marketing layer. Nothing.
Not that there's anything wrong with that, mind you.
too scared (Score:1)
Shhh, if we don't admit anything (Score:2, Insightful)
Re:Shhh, if we don't admit anything (Score:4, Funny)
I wish there was an "incomprehensible grammar" mod....
Re: (Score:2, Interesting)
Well, of course! Apple is the underdog. Never mind the fact that is has the number one selling music player, and the market share is increasing, and that iTunes is extremely popular, and people are killing others for a iPhone...
Oh wait. Maybe Apple ISN'T the underdog. Maybe its practices are just the same as any other large company that wants to make a profit. It's no different from any others in that respect, in fact, it may be worse, as people excuse Apple for a lot, as they still think of it as the under
Steve is not impressed (Score:5, Interesting)
I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much.
Re: (Score:2, Interesting)
Why? I didn't read anywhere in this article that stated Mac OS X is less secure than Windows... as it would be just plain silly.
"I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much."
You may be right. But it doesn't change the fact that more and more consumers
Re:Steve is not impressed (Score:4, Interesting)
I do think that a lot of people are turned off by the size of MS more than the quality of its products. A lot of people want something different to express themselves. Even when Apple truly sucked (and it did), a fair number of people stuck with them presumably to distance themselves from the giant and evil MS.
Re:Steve is not impressed (Score:5, Insightful)
My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS.
Probably. But do take into account that the engineers (i.e., the people who actually KNOW the technical details) WANTED to have the discussion.
The decision to cancel it came from marketing, those who don't understand the technical details but are reasonably afraid that someone might pull a rabbit from their hat and make Macs look bad.
Re: (Score:2)
Yes, that is the knee-jerk reaction you'd expect from marketing.
The problem is that it's overriding Engineering's attempts to actually improve the product.
Maybe someone should be afraid that a hacker WILL pull a rabbit from his hat, and use it to demonstrate the flaws of their security model. A code-red level worm, now, would be a huge market killer.
Re: (Score:3, Interesting)
Re: (Score:2)
I do think that a lot of people are turned off by the size of MS more than the quality of its products.
Or maybe it's their mediocre products and utter disregard for their customers and partners that turns people off?
Re: (Score:1)
When you say "if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS" you're assuming the marketing department are being rational.
Re: (Score:2)
That being said, I suspect Steve J. made this decision.
Re: (Score:3, Funny)
You are absolutely correct. It still sucks, it just sucks less.
I remember the Apple internal code name for their sound manager in or around 1989. It was called Barking Pumpkin and their motto was "it just sucks less."
Re: (Score:2)
Oh my god. I'm reporting that the software is not perfect and stating a historical precedent and I'm marked a Troll? You've got to be kidding me.
Apple Marketing is the "best". (Score:3, Interesting)
Apple's marketing is genius.
A few years back, they were talking up how FileVault (home folder encryption) uses AES-128 encryption, implying that it would take longer to crack than the age of the universe.
http://www.apple.com/sg/macosx/features/filevault/
Meanwhile, the password could often be found in plain text on the hard drive in swap files. This was back before encrypting swap was an option.
It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/
I guess the default account having root access is sort of an industry standard given Windows. Phrases like "wise architectural decisions" are relative, so not strictly false. I won't touch "intelligent design".
But saying, and I quote, "The Mac OS X administrator account, unlike the Windows admin account, disables access to the core functions of the operating system." is an outright lie (see above "root privilege escalation feature").
Re: (Score:2)
I've always been prompted for my password when performing admin actions under OS X.
Re: (Score:1)
It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/ [apple.com]
I can't see that anywhere in the link you're citing, could you please point out where it says that? To have a proper discussion about things we need facts not unfounded accusations. I don't have any problem believing Apple might have done something like that but I need a proper link.
There are still some Apple-related talks left: (Score:2, Informative)
I haven't been fucked like that since the NextCube (Score:4, Funny)
Rule #1: You do not talk about Apple flaws
Rule #2: You DO NOT talk about Apple flaws
Rule #3: If someone says "stop" or goes limp, taps out we make him the CEO
Rule #4: Only two sentences to an argument
Rule #5: One argument at a time
Rule #6: No punch, no daiquiris
Rule #7: Cover-ups will go on as long as they have to
Rule #8: If this is your first night at Apple flaws, you HAVE to swallow
Re: (Score:1)
It just doesn't surprise me... (Score:1, Interesting)
I doesn't surprise me Apple's marketing team doesn't allow comment on practices, fixes or developments... they don't even get back to the people finding issues like Jon Longoria on the Spaces theoretical vulnerability. I emailed him to see if he had gotten comment and was told noone would talk with him to discuss the problem or attempt a fix. RE: http://thereformed.org/2008/05/03/theory-apple-osx-spaces-vulnerable/ . I don't really get wtf is wrong with Apple, I think they're locking up under the strain of
Not Surprised (Score:2, Interesting)
I'm not surprised really to see a corporation sponsored "Hacker" conference have talks canceled due to confidentiality agreements.
I've yet to hear a real hacker conference have their talks canceled due to something like that. Normally cancellations involve the speaker being escorted out in handcuffs.
But honestly there are far better, and more hacker-centric conferences out there than Black Hat. Conferences that come to mind are Chaos Communications Camp (or Chaos Communications Congress in the winter), Def
Re: (Score:1)
You've not been to defcon, have you? Blackhat's just a paid prequel to defcon - all the folks who talk at blackhat typically talk at defcon as well.
Here's a serious flaw with FileVault (Score:4, Interesting)
1. Create two accounts on your mac. One is a throaway with fileVault turned on.
2. Log in to both and switch to your non FileVault account.
3. Copy a large enough chunk of data to the drop box of the FileVault user so that you will ALMOST fill up the boot drive.
4. Duplicate that data to another folder on your boot drive.
5. Wait till the hard drive fills up and you have 0 K on the drive.
6. Launch Safari and load a few web pages with lots of rotating ads. This is to guarantee that more data is being brought onto the hard drive.
At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.
Re: (Score:2)
As i understood it, one user can fuck up another users account, without the need for administrative privileges.
This *is* an issue.
Re: (Score:2)
Yep. That's correct.
After I found this out and knowing how often I fill my my root drive, there is no way in hell I'm using FileVault. It is a license to lose everything.
Solution: (Score:3, Informative)
Admittedly - it is a problem, but it certainly has a workaround.
Re: (Score:2)
So Apple could add that sh thing to recent security updates postflight script, it would take like 100 bytes?
That is the issue. It was exact same command to secure Input Managers in users home directory input managers on Tiger. I did it (as I have legit stuff), everything worked flawlessly. Why didn't they do it? They later admitted issue and made Input Managers function in /Library/Input Managers owned by root on Leopard.
A script like TIGER on Linux could really make OS X almost rock secure but developers a
Re: (Score:3, Informative)
Here's another: You can't use Time Machine properly if you use FileVault. Backup or encryption, pick one.
Re: (Score:2)
What's the nature of the flaw? How does it fail?
Re: (Score:2)
What's the nature of the flaw? How does it fail?
It won't back anything up if you're logged in, and then if you log out, it'll only backup the disk image, not the files inside it. Which pretty much defeats the whole point of the thing.
The sad thing is (Score:5, Insightful)
Re: (Score:3, Insightful)
Now, that's no dig at Apple's products
very true (Score:2)
Perception is that Apple is lax on security (Score:2)
'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."
Then Apple marketing people aren't very smart, are they? Because it sure isn't helping the perception that Apple is lax on security.
Re: (Score:2)
On the contrary,
Apple has always been like this, OS X has always practised security through obscurity and used takedown orders and NDA's to hide flaws. The simple fact that people are only just beginning to see this is proof of the great job that Apple marketing has been doing. As always it's impossible to carry on a lie forever.
Marketing Rules (Score:2)
One day in Vegas (Score:2, Funny)
Apple "No, it is perfectly secure"
Hacker" Seriously, duuuude, watch me hack your machine"
Apple "Can't be done, our software was blesses by the gods of Steve"
Hacker" Duude, Im not kidding Im in your machine, watch as I buy some child porn with your credit card"
Apple "Ha, all a figment of your imagination, our marketing department says we have the best operating system in existence"
FBI "excuse me sir I would like to talk to you regarding the purchase of illicit chil
Misalignment with Snow Leopard (Score:2)
This is a stumbling block on Apple's road to the enterprise. That's out of alignment with the technology plan for Snow Leopard server, which includes many new features [apple.com] directly aimed at supporting the mid-sized enterprise.
Combine that with the general trend towards browser-as-client, and with the advent of VMware Fusion and Parallels, and at a time when there's no compelling case to deploy Vista during a desktop refresh. Apple have significant position to attack the enterprise desktop & backend.
However:
Re: (Score:1)
Re: (Score:1)
Hmm.. nice (Score:1)
They learned this from OpenBSD (Score:1)
OS X: The Sacred OS for Blessed Machines. (Score:2)
(completely ignoring any issues of intentional inaccuracy)
The difference between DeRaadt and Jobs is how they want things fixed.
DeRaadt gets the issue solved. Jobs takes a page from Cisco and IBM by sending lawyers until the person is gone from the earth.
Re: (Score:1)
Quote out-of-context (Score:3, Interesting)
Re: (Score:3, Funny)
preferred method should be beating to death by a stick.
My guess is you lack the upper body strength to pick up a stick.
Re: (Score:2)
And the brainpower to work out which end of the stick to hit someone with...
Re: (Score:2)
Re: (Score:1)
It takes only one bad guy to figure that out by himself and you'll get owned, you have to know the exploit yourself to know what measures could be taken to prevent it.
Re: (Score:2)
Intuitive? It's still light years ahead of Windows and Gnome/LDE.
Just works? That was always bullshit. Mac OS classic never "just worked", Mac OS classic was *shit*. What it had was that it was all very simple, and the ways it went together were very simple, so you could fix it when it broke without being any kind of geek. OS X, now, that's pretty damn close to "just works".
Printers? I'm still having problems getting Windows to handle printers at work. They just show up on OS X.
Don't lock yourself into dead