Call for Apple Security 'Czar' 254
conq writes "The second security non-incident to hit the Mac platform in as many weeks has been debunked. People are talking a lot about security on the Mac these days, and the result is that a great deal of FUD is being spread around. BusinessWeek's latest Byte of The Apple column suggests that its time for Apple to appoint a security Czar to get out ahead of the FUD before it spreads much more." From the article: "Creating a CSO position may be viewed by some as an admission of weakness. Still, I say it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding, and get ahead of the curve for any troubles that may be inevitable. That may not be the case, but in matters related to product marketing, it's the public perception, not the reality that really matters. And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft."
Chief Security Officer? (Score:5, Funny)
Re:Chief Security Officer? (Score:5, Funny)
Re:Chief Security Officer? (Score:5, Funny)
Re:Chief Security Officer? (Score:3, Funny)
He he he... The other day I was talking to a young woman who'd just got a Mac and set her download directory to "Applications" so that anything she downloads is automatically installed. She said it made it easier to use the computer.
User ignorance is still the biggest threat.
Sounds like a PR or Legal issue, not a security. (Score:5, Insightful)
Sounds to me they need to hire someone with appropiate skills in either their PR or Legal departments.
Two non-security incidents in a month almost certainly mean that they're the victim of a FUD campaign.
The right way to answer that is not to validate the fud, but
Apple's recent security update patched 20 holes (Score:5, Insightful)
Apple needs to treat their holes as real problems, not just as a PR problem. And they're actually doing just that by releasing fixes and not spouting PR. Spouting PR would only make them a bigger target for hackers, just as appointing a "Security Czar" would. The latter would also undermine confidence of the general public ("If Mac is so secure, why do they need a 'Security Czar'?")
Re:Apple's recent security update patched 20 holes (Score:3, Insightful)
So you're saying that, for instance, a person who had three colds last year is less healthy than a person who had cancer only once?
Say, I need some change. Would you mind giving me a twenty for these two fives here?
Re:Apple's recent security update patched 20 holes (Score:3, Insightful)
Would it be like the Maytag repair man? (Score:3, Funny)
Worf: "This job gives me an intense feeling of Gardachk! I think I'll kill one of the developers at our next hackeysack battle."
Well, then, that would be poetic justice (Score:3, Informative)
Re:Well, then, that would be poetic justice (Score:3, Informative)
Re:Chief Security Officer? (Score:2)
Because you're too young to recall Lt. Sulu as the security chief in the alternate universe.
Re:Chief Security Officer? (Score:2)
There goes 10 years of trying to prove I'm not a nerd.
The importance of user confidence (Score:5, Informative)
And yet, they still seem to be doing OK.
Re:The importance of user confidence (Score:2)
Re:The importance of user confidence (Score:2, Insightful)
Re:The importance of user confidence (Score:2)
Actually, while that statement seems like an informed comment, it is not.
No one could have claimed that any Linux desktop of 6 years ago was just as good as the Windows desktops of the period.
I've been running Linux for eight years, and it was JUST 6 years ago, on July 12, 1998, that KDE 1.0 was release. KDE 1.0 was the best desktop GUI availabl
Re:The importance of user confidence (Score:2, Insightful)
no, it isn't. Let's look at KDE alone, disregarding all the complications due to the distro fascism.
KDE is utterly complicated, overpersonalizable, at the point that when you have to set something, you spend a considerable amount of time looking for the desired option diluited in a mayhem of
Re:The importance of user confidence (Score:2)
OK?? (Score:2)
And yet, they still seem to be doing OK.
Do you mean in terms of security or money? If you are talking about security, given the attitudes toward MS on this forum, I'm surprised you weren't moded up to '+5 Funny' for that comment. Personally I wouldn't exactly call Windows Security 'OK' (as in security provided by Microsoft, out of the box, after patching and with native tools only no third party software), perhaps in a
I'm concerned (Score:5, Funny)
Re:I'm concerned (Score:4, Funny)
Re:I'm concerned (Score:2, Funny)
Nominate Slashdot as the Apple CSO (Score:3, Funny)
Public confidence? (Score:5, Insightful)
Huh? Most of the "public" I know doesn't have any lack of confidence in OS X and hasn't even heard all the latest "scares" of OS X's security. In fact, I'd venture to guess that most of the "public" knows nothing about OS X being more secure than Windows (as it isn't really an advertised fact) and think that viruses/trojans/worms, etc, are just a part of computing.
Re:Public confidence? (Score:5, Insightful)
Re:Public confidence? (Score:3, Insightful)
Re:Public confidence? (Score:4, Insightful)
What they seemed to just say, in a nutshell:
"Apple should create a executive position to serve as a figurehead in charge of security. Doing so will create the perception that Apple's shit is not as secure as it used to be, but is needed to maintain the perception that it's still as secure as it used to be."
So, if they don't hire somebody like that, confidence in their security will erode.
But if they do hire somebody like that, confidence in their security will erode.
Here's a thought: Why not just keep putting out an OS which is vastly more secure than Windows? As a customer, I've been pretty happy with that strategy so far.
Re:Public confidence? (Score:5, Funny)
What is OS X? Should it effect me?
Re:Public confidence? (Score:2)
Just ask Microsoft???? (Score:3, Interesting)
Re:Just ask Microsoft???? (Score:2, Insightful)
hi
Re:Just ask Microsoft???? (Score:5, Insightful)
Or are you trying to imply that MS is now secure?
Not a bad idea, (Score:5, Interesting)
If nothing else, it'll start an effective and accurate comparison of the state of security between OSX and Winodws, a feature of OSX that Apple has not stressed as much in their ads as they should.
Re:Not a bad idea, (Score:2)
Appointing a 'Security Czar' would move all these low key (outside of the
It's a terrible idea, Apple should continue to let
Re:Not a bad idea, (Score:2)
Yeah, and who said OSX has to be compared to Windows ? Who says that OSX has to "defend" itself as in "just ask Microsoft" ? Microsoft is not trusted because their software has "earned" this mistrust. OSX's so called security issues have mostly turned out to be fud^2. Yes, we know crowds don't understand and don't want to understand unix vs windows architecture differences, they need to see "comparisons" and security "studies" performed by "inde
They recently hired on the FreeBSD CSO (Score:5, Interesting)
It's just how you handle the marketing (Score:5, Funny)
Just ask Microsoft (Score:5, Insightful)
Re:Just ask Microsoft (Score:3, Insightful)
Biased poster (Score:3, Insightful)
Re:Biased poster (Score:2, Informative)
Re:Biased poster (Score:2)
Yeah, like that 30-minutes hack that REQUIRES to have a local account... *rolls eyes*
Re:Biased poster (Score:4, Informative)
What is it with the 'Czar' title? (Score:5, Funny)
What about other titles for potentates?
'Chief' 'King' 'Master' 'Commander' 'Lord'
Re:What is it with the 'Czar' title? (Score:2)
Re:What is it with the 'Czar' title? (Score:4, Funny)
Re:What is it with the 'Czar' title? (Score:2)
Re:What is it with the 'Czar' title? (Score:2)
Lord Steven P. Jobs, High Priest of the Cult of Mac, Commander of the Fan-boy legions, King of One Infinite Loop, and Master of Keynotes.
Yes, I use Macs, and I like Jobs.
Re:What is it with the 'Czar' title? (Score:3, Informative)
Both parts of this assertion are false. It was a theological move made by the Jewish elders who translated the Talmud into Greek, ca. 3rd century BCE: in order to avoid using the name Yahweh, they used the Greek word kyrios meaning "head of the family/household". Everyone since then has been copying them: it's all pre-Christian. The reason kyrios got translated into English as "lord" was because Anglo-Saxon hlafweard also meant "head
That's not security, that's marketing (Score:3, Interesting)
Perception? (Score:4, Insightful)
OK, then everybody else can stick to the illusion of security with Windows despite reality, and I'll be happy in the reality of my secure OS X machines.
OS X is not 100% secure, but out of the box, its about as secure as any system can be that has a network adaptor in it. Try this on your average box:
netstat -an |grep -i listen
tcp4 0 0 127.0.0.1.631 NOT JUNK LISTEN
tcp4 0 0 127.0.0.1.1033 NOT JUNK LISTEN
Go ahead, break into 127.0.0.1. I dare you.
Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK
Re:Perception? (Score:4, Funny)
I will take that challenge using all of the tools that I have. You'll be sorry when I break into your...
CONNECTION DROPPED
Re:Perception? (Score:2)
Miranda beat you to it [userfriendly.org].
I hate to be the first naysayer, but... (Score:2, Insightful)
Lame (Score:2)
It is notable that microkernel OSs offer improved security and such, at the cost of performance. Not being a Mac fanboy, I don't know how true they are to the whole bit.
Re:Lame (Score:2)
The common attack on microkernel OSs is performance.
He's not calling for a CSO (Score:4, Insightful)
As stated in the article, putting security in the hands of an individual is counter to Apple's philosophy of having security be a priority for everyone.
I personally think Apple's better off letting third parties defend the FUD; they seem to be doing a swell job with the last two instances. By now, no one in the know doesn't know that the past two were FUD.
Those who aren't in the know didn't even hear about it.
IMO, we should never ASK a company to add in another layer of publicity and marketing. That's asking to be mislead by slanted information, be it MS, Apple, Google, IBM, or whomever.
MS's problem is the reality, not the perception (Score:5, Insightful)
Wow, talk about an unassailable position (Score:5, Informative)
While I agree that every company that sells operating systems should take security seriously, and that having somebody responsible is practically always a prerequisite to being "serious", it's really too bad that people don't seem to absorb a bit more reasoning skill by the time they get out of school.
Sure, Apple's relatively superior security record "may" erode as they start to gain market share and visibility to the black hats. In fact I'd say there's not much room for it to go other than the direction of erosion. However, we don't have any evidence that that anything like a disaster is about to happen. You can posit that terrible things may happen, and nobody can prove you wrong. You could posit that Steve Jobs is the vanguard of an alien mind-control invasion, and nobody could prove that wrong either. These are the sort of things that can only be proved in an affirmative sense: some researcher finds a vulnerabilityin the Mac OS authentication system, or tentacles suddenly springing from Steve's head.
Right now I'd say the biggest problem are the Mac user base's overconfidence. While back in the day, Mac users did struggle quite a bit with viruses, which were oh-so-much more interesting to write for the more advanced Mac platform than for DOS, recently, they're getting a bit cocky. They're not as used to the security patch grind as the people running Windows.
Security Czar role will fit in well in Apple (Score:5, Funny)
Every week, they hold a cross group meeting with the Sultan of Marketing, the Sales Duchess, and the Distribution Führer. They all are answerable to the Grand Baron of Charging More for Stuff because it is Shiny (he prefers people call him Tim, for brevity).
The wrong perspective. (Score:4, Insightful)
Of course, you could argue that it be completely locked down with no keyboard or connection to the Internet, etc... but this would be a completely moot point.
With this in mind lets consider the overall design of the security subsystem. Apple Mac OS X is much better DESIGNED than Windows in its current state. I won't delve into detail about protected memory, access controls, permissions, default configurations, open ports, etc... but out of the box Mac OS X is more "security minded" that Microsoft's Windows.
Now, keep in mind that things ARE changing. No matter how much heat Microsoft takes they are still managing to improve the quality of their product. Windows XP is a far superior product (security wise) than was 98 or ME... and it appears that the next version of Windows is even more security conscious.
In conclusion, people should not "judge" an OS based on the potential for it to have problems... they all will. Mac OS X has enjoyed a reputation for safety that is based on many factors (including having a small market share). However, the bottom line is that it is very "security aware" and has the potential for you to lock it down even more... and this is the right perspective to look at.
Matt Wong
http://www.themindofmatthew.com [themindofmatthew.com]
Re:The wrong perspective. (Score:2)
So.....exactly what ARE they supposed to judge it on?
We need to defend against scare tactics (Score:5, Funny)
Pictures of Jane Fonda on her iMac will be forthcoming.
Debunked? (Score:2)
Not to mention that the second challenge was pulled early, and not that I expect someone to give away a remote shell exploit for free to prove a point.
Re:Debunked? (Score:4, Insightful)
The second challenge debunks nothing. One challenge gave shell access, the other didn't.
The second challenge did not debunk the first challenge, it debunked the poorly written and misleading articles about the first challenge by replicating the situation the articles depicted the first challenge as being.
Only one of those actually ended up demonstrating a result.
You can't logically prove a negative. What amount of time is sufficient to show something won't ever happen?
Not to mention that the second challenge was pulled early...
But not because it was hacked. It was pulled for reasons outside the control of the person running it and certainly stood up to more than 30 minutes of attacks, thus the sensationalist articles were debunked.
Remote "shell" exploit? Why would it be a shell exploit, necessarily?
I certainly think it is likely there are remote exploits for OS X out there. There are certainly a lot of white hats and other crackers that would love the publicity this could have generated for them. There are also a lot of people that would like to quiet down the small number of uninformed, overzealous fans of OS X that at times can be quite annoying. What this has show is that remote exploits are not common enough that people can demonstrate one to show boat and they are not easy enough to find that they can be found and demonstrated by the white hats in that short a period.
Basically this confirmed what pretty much every security person already has plenty of evidence to support. The point you are missing is that while the original test was somewhat useful, the very poor articles about the original test spread misinformation and FUD that did more damage than the original test did good. It is those articles that this challenge was designed to rebuke and it has done that much at least.
Re:Debunked? (Score:2)
Exactly. So which one proved something?
Remote "shell" exploit? Why would it be a shell exploit, necessarily?
It's a very common infosec term, it means an exploit that provides a remote shell or equivalent. As opposed to a flaw in RSH, if that's what you were thinking.
I certainly think it is likely there are remote exploits for OS X out there.
Of course there are. Several have been published, and I kn
Re:Debunked? (Score:2)
Exactly. So which one proved something?
The first challenge showed that local exploits are out there. The second challenge showed that the articles about the first challenge were a bunch of crap. Each proved something.
It's a very common infosec term, it means an exploit that provides a remote shell or equivalent. As opposed to a flaw in RSH, if that's what you were thinking.
I'm familiar with what a shell is. But you're saying a shell exploit is an exploit that gives access to a remote shell or the sam
Just ask Microsoft (Score:4, Insightful)
Or an ex-customer like me [msversus.org].
Perception of course matters to many people. But hopefully reality matters to many more people.
Apple, please... just please... do everything you can to keep your customers' computers safe. That's all I ask. Appoint a CSO or don't, I don't care.
Just don't hire the MS CSO (Score:2)
Uhh, personally (Score:5, Informative)
Analysts and bloggers crowing endlessly about "Apple/Linux/Firefox/whatever don't have better security, they're just smaller" gets attention for a little while, but just let time pass. Eventually people realize they're being cried wolf to. After a few years people will have forgotten the bloggers, but will remember whatever the next major Windows worm incident that gets on the nightly news turns out to be.
Unfortunately, this only works if you really do have better security. And while this article is just talking about media events like the mac mini challenge as if they're all that matters, Apple has had real security problems of late. Whether or not the mac mini challenge was important for real security there are apparently some os x privilidge escalation exploits floating around, and there was that incredibly embarrassing bug [slashdot.org] awhile back where Safari could be tricked into launching a shell script as if it were a
Taking this seriously does not mean-- as the article suggests-- appointing someone to talk to the press about how great Apple's security is. It means actually fixing the problems, and making some effort to see what other problems might be out there. PR is temporary, and if you do too much of it it can backfire (as people start to assume anything positive they read about your platform is just a result of PR). Real security problems like the filetype bug I mention can impact your reputation for years, no matter how much you try to spin them.
Speaking of which, there was a new security update on Apple Software Update this week. Anyone know what exactly that covered? Is the jpg/sh MIME or whatever problem fixed yet?
Re:Uhh, personally (Score:2)
I'd like to agree, but there's more bucks being returned from spending on better PR than from spending on better (real) security. Just ask MicroSoft.
Will just ask MicroSoft become a new meme?
personally I'd like to see..... (Score:3, Interesting)
That said i do want to migrate...
Re:personally I'd like to see..... (Score:2, Interesting)
Re:personally I'd like to see..... (Score:2)
Apple should put up a honeypot. (Score:4, Insightful)
The Apple Security Czar should be like... (Score:2)
Confidence (Score:2)
Bill, can I be confident that Vista will not have any security holes?
Yes you can, just make sure you buy Vista Ultimate. [microsoft.com] It is the best one that we offer.
Blah. (Score:2)
This is crap. It was an "incident" for sure. The fact of the matter is that the Mac, given local access by either a process or login is very subceptible to local privledge esclation. It took someone 30 minutes to prove that this is the case.
The real concern with this is that the Mac is not truly equipped (in it's current state) to be used securely as a multi-user UNIX machine. An example of such an environment would
Re:Blah. (Score:2)
Here's the real problem. Hackers are trying to make a name for themselves by "winning" a "Hack into a Mac" challenge. They accomplish this by using an "unpublished exploit", then tell the world that they did it. The problem is they don't say how. If you figure it out, then tell Apple(or whoever's OS/app you've cracked) what you did and how.
The pathetic thing is gwerdna is being praised as a h
Appointing a czar... (Score:2, Interesting)
Have there been any successful czars for anything?
OS X = insecure (Score:2, Redundant)
Read what the pros say about the simplicity of finding vulnerabilities in OS X [immunitysec.com]
ID10T (Score:2)
I don't think so. I think it's an admission that you arn't a self-centered egotistical fathead who is actually dumb as a stump. Security is always an issue. No matter how well you *think* you are protected.
non-incident? (Score:2)
If I give someone an account with limited rights I've given them an account with limited rights, not an account for them to get root if they feel like it. If I wanted them to have root, I'd have given it to them in the first place!
Re:non-incident? (Score:3, Informative)
Could someone please enlighten me as to why it is possible for a least privileged user account to gain root without the consent of the owner to be classed as a "non-incident"?
It isn't a non-incident, but neither is it a remote exploit. Apple fixes 5-10 local escalations a month in their security updates, many of which are found by outside security people. Thus exposing one more is not exactly news. This is the same for Linux or most any other OS not designed to be ultra-secure. (Except Windows which has
Oh please ... (Score:3)
In Imperial Russia the Czar calls you. (Score:2)
Anti-malware would be better. (Score:2)
Apple could easily integrate an Anti-Malware system in OSX and it would boost their security immensely and there's nothing Symantec or Mcafee could do or say about it (Unlike MS under an antitrust ruling. I'm surprised they are letting Windows Defender in Vista). All it would have to do is warn you of potentially harmful actions even if it's initiated by the system root (h
Business Weak (Score:3, Insightful)
Who do they back on National Security issues? How do their favorite National Security spokesmodels rate?
Might not be in Apple's gameplan. (Score:4, Interesting)
Not all FUD, but not "eroding" (Score:2)
PR is nice, but I want the real deal (Score:3, Insightful)
Thus Apple has two approaches it can take. First, it can consider tactics that harden the system as a whole, making it much harder for exploits to work in the first place. Look to approaches such as those taken by grsecurity, SELinux, and the other layers found in hardened Linux and *BSD distros for examples. Harden the hell out of the kernel and compiler layers as baseline approach. Perhaps fund Coyotos [coyotos.org] work as a strategic-term approach, with an eye towards migrating the kernel. The room for innovation here is to present a hardened system that isn't any harder to use.
Second, Apple simply must be dilligent in identifying and fixing exploits. To that end, I'd propose that Apple offer a substantial first-reporter bounty for local and remote exploits on the Mac OS X platform. Think about it: set aside the equivalent salary+overhead of one or more good security experts. Divvy that amount out to leverage a larger community each year. I'd love to see a few students help pay their way through college this way. 8-)
Forget the illusion of no exploits -- go out, find 'em, and close 'em first.
Re:I Don't See What all the Fuss is About... (Score:3, Insightful)
Re:I Don't See What all the Fuss is About... (Score:2, Funny)
Re:U of Wisconsin? (Score:2)
What happened with the U of Wisconsin [slashdot.org] test? It was supposed to run until Friday, then he shortened the deadline and removed the reference to the Friday end time, and then I forgot to log back into it at midnight. Now the URL [wisc.edu] gives a "could not find host" error and I can't even ping the IP... So what happened? What was the end result?
Re:U of Wisconsin? (Score:2)
RPI Geek, eh? Probably means beer and posting don't mix.
Re:U of Wisconsin? (Score:3, Informative)
What about U of Wisconsin? (Score:4, Insightful)
Instead of bleating for help howzabout looking up your question for yourself?
"university wisconsin mac challenge" are some good key words.
If you think the topic is of general interest then post back your results.
Re:U of Wisconsin? (Score:2)
Short version: Nobody succeeded in breaking in.
Re:I'd like to see a Czar of Software Stability (Score:2)