Sign up to our newsletter
I had an interesting query from Scientific American (see Larry Greenemeier’s blog at http://www.sciam.com/blog/60-second-science/post.cfm?id=apple-disses-hackers-black-hat-conv-2008-08-05 to see the main thrust of the discussion). He asked, "Could Apple’s move to pull its security presentation from the Black Hat conference backfire on the company and make the company more of a target for hacker scrutiny? Why?"
It certainly made them a target for discussion on Slashdot (http://it.slashdot.org/it/08/08/03/0031228.shtml), which isn’t quite the same thing, but to some extent reflects hacker (in quite a broad sense) interest. Unlike Herbert Thompson, who’s quoted in the original blog, I’m not convinced, though, that this reticence is going to increase scrutiny: there’s already plenty of interest in the platform from hobbyist hackers, profit-driven gangs (a persistent trickle of malware, fake antispyware etc), not to mention security companies (a couple of AV companies have dipped their toes into the Mac arena in the last year).
In my view, the real damage to Apple is that they’ve given the impression that their security initiatives are driven by marketing considerations. Of course, in the real (corporate) world it’s quite normal to maintain right of veto over public statements and appearances (that goes for the public sector too), but there are a lot of people falling into the general category of "security researcher" who aren’t particularly aligned with the corporate world and have little sympathy with it, let alone understanding of how it works.
That said, Apple continue to display a worrying naivete and, in some instances, lack of awareness ("We don’t know of any OS X malware"). They give the impression of remaining wedded to a model of "no discussion, tight product control, and no disclosure until we’re ready" that sits strangely with their extensive use of open source code. A lot of people have pointed to the fact that their latest patch, while addressing DNS issues, is incomplete (http://isc.sans.org/diary.html?storyid=4810), though in fact that applies to other vendors too. I’d say that in the last year or so fewer people have been ready to accept Apple’s security credentials as a given, and perhaps the company could learn something from Microsoft’s experiences over the past several years. Not that Microsoft hasn’t made its share of mistakes, but it’s done a fair few things right, too, in security terms. And in today’s world, no-one can afford to be seen as thinking that "security isn’t important".
It does seem to me that the simplistic model of "Apple good, Apple safe: Microsoft evil, Microsoft unsafe" is years past its best-by date: mistrust the credentials of anyone who takes it as read.
Malware Intelligence Team
Author David Harley, ESET