Apple

Not All Design Flaws Are “Features”

By Rich

Yesterday I published an article over at TidBITS describing how Apple's implementation of encryption on the iPhone 3GS is flawed, and as a result you can circumvent it merely by jailbreaking the device. In other words, it's almost like having no encryption at all.

Over on Twitter someone mentioned this was discussed on the Risky Business podcast (sorry, I'm not sure which episode and can't see it in the show notes) and might be because Apple intended the encryption only as a remote wipe tool (by discarding the key), not as encryption to protect the device from data recovery.

While this might be true, Apple is clearly marketing the iPhone 3GS encryption as a security control for lost devices, not merely faster wipes. Again, I'm only basing this on third-hand reports, but someone called it a "design feature", not a security flaw.

Back in my development days we always joked that our bugs were really features. "No, we meant it to work that way". More often than not these were user interface or functionality issues, not security issues. We'd design some bass ackwards way of getting from point A to B because we were software engineers making assumptions that everyone would logically proceed through the application exactly like us, forgetting that programmers tend to interact with technology a bit differently than mere mortals.

More often than not, design flaws really are design flaws. The developer failed to account for real world usage of the program/device, and even if it works exactly as planned, it's still a bug.

Over the past year or so I've been fascinated by all the security related design flaws that keep cropping up. From the DNS vulnerability to clickjacking to URI handling in various browsers to pretty much every single feature in every Adobe product, we've seen multitudes of design flaws with serious security consequences. In some cases they are treated as bugs, while in other examples the developers vainly defend an untenable position.

I don't know if the iPhone 3GS designers intended the hardware encryption for lost media protection or remote wipe support, but it doesn't matter. It's being advertised as providing capabilities it doesn't provide, and I can't imagine a security engineer wasting such a great piece of hardware (the encryption chip) on such a mediocre implementation.

My gut instinct (since we don't have official word from Apple) is that this really is a bug, and it's third parties, not Apple, calling it a design feature. We might even see some PR types pushing the remote wipe angle, but somewhere there are a few iPhone engineers smacking their foreheads in frustration.

When a design feature doesn't match real world use, security or otherwise, it's a bug. There is only so far we can change our users or the world around our tools. After that, we need to accept we made a mistake or a deliberate compromise.

–Rich

iPhone Security Updates

By Adrian Lane

Like many potential iPhone buyers, I have been checking the news releases from the Apple WWDC every hour or so. Faster speed, better camera, better OS, new apps. What's not to like? From a security standpoint, the two features that were intriguing for me and (probably) many IT organizations are the data encryption and automatic remote data wipe options. From MacWorld:

For IT, Apple has added on-device encryption for data (backups are encrypted as well), plus a remote wipe-and-kill feature for Exchange 2007 users. Non-Exchange users can get remote wpe-and-kill if they subcribe to Apple's consumer-oriented MobileMe service. In either case, the wiped information and settings can be restored if you find the missing iPhone.

Much in line with what I was thinking in the Friday Post, it appears that Apple developers are way ahead of me. This clears a couple major security hurdles for corporate adoption of the iPhone, and helps the iPhone to continue its viral penetration of corporate IT environments. Very smart moves on their part to fill these gaps. The "Find my iPhone" feature is a neat bit of gimmickry, and helpful for distinguishing whether your iPhone went missing or was stolen. I have trouble believing it would be very effective for recovery, but it is enough information to decide whether or not to remotely wipe the device. And with the ability to recover wiped data through MobileMe, there is little penalty for being safe.

Then, leave it to AT&T to kill my happy iPhone buzz. Tethering? Nope. Any product vendor will tell you that that if a customer asks you when they get some cool new feature, you talk about what a wonderful advancement it will be and then set realistic expectations about when it will be available. Your response is not "Well, that will cost you more". No wonder AT&T was booed on stage. It looks like by the time tethering is available, AT&T will no longer have its US exclusive arrangement with Apple, and no one will care that they don't seem to care about customers. Or timely feature enhancements. Or that they are denying loyal Apple/AT&T customers a discount to buy a new phone and give the old phone to someone else who will need to use AT&T. You see the logic in that, right?

–Adrian Lane

Five Ways Apple Can Improve Their Security Program

By Rich

This is an article I've been thinking about for a long time. Sure, we security folks seem to love to bash Apple, but I thought it would be interesting to take a more constructive approach.

From the TidBITS article:

With the impending release of the next versions of both Mac OS X and the iPhone operating system, it seems a good time to evaluate how Apple could improve their security program. Rather than focusing on narrow issues of specific vulnerabilities or incidents, or offering mere criticism, I humbly present a few suggestions on how Apple can become a leader in consumer computing security over the long haul.

The short version of the suggestions are:

• Appoint and empower a CSO
• Adopt a secure software development program
• Establish a security response team
• Manage vulnerabilities in included third party software
• Complete the implementation of anti-exploitation technologies

–Rich

Macworld Security Article Up- The Truth About Apple Security

By Rich

Right when the Macalope was sending along his take on the recent ComputerWorld editorial calling for the FTC to investigate Apple, Macworld asked me to write a more somber take. Here's an excerpt:

On May 26, Macworld republished a controversial Computerworld article by Ira Winkler suggesting that Apple is “grossly negligent” when it comes to security, and should be investigated by the Federal Trade Commission for false advertising. The author was motivated to write this piece based on Apple’s recent failure to patch a known Java security flaw that was fixed on other platforms nearly six months ago. While the article raises some legitimate issues, it’s filled with hyperbole, inaccurate interpretations, and reaches the wrong conclusions. Here’s what you really need to know about the Java situation, Mac security in general, and the important lesson on how we control Apple’s approach to security.

...

The real failure of this, and many other, calls for Mac security is that they fail to accurately identify those who are really responsible for Apple’s current security situation. It isn’t security researchers, malicious attackers, or even Apple itself, but Apple’s customers. Apple is an incredibly successful company because it produces products that people purchase. We still buy MacBooks despite the lack of a matte screen, for example. And until we tell Apple that security will affect our buying decisions, there’s little motivation for the company to change direction. Think of it from Apple’s perspective—Macs may be inherently less secure, but they are safer than the competition in the real world, and users aren’t reducing what they spend on Apple because of security problems. There is reasonable coverage of Mac security issues in the mainstream press (Mr. Winkler’s claim to the contrary), but without demonstrable losses it has yet to affect consumer behavior.

Don't worry- I rip into Apple for their totally irresponsible handling of the Java flaw, but there really isn't much motivation for Apple to make any major changes to how they handle things, as bad as they often are.

–Rich

The Government Must Save Our Children from Apple!

By Macalope

Editors Note: This morning I awoke in my well-secured hotel room to find a sticky note on my laptop that said, “The Securosis site is now under my control. Do not attempt to remove me our you will suffer my wrath. Best regards, The Macalope.”

ComputerWorld has published an interesting opinion piece from Ira Winkler entitled “Man selling book writes incendiary Mac troll bait”.

Oh, wait, that’s not the title! Ha-ha! That would be silly! What with it being so overly frank.

No, the title is “It’s time for the FTC to investigate Mac security”.

You might be confused about the clumsy phrasing because the FTC, of course, doesn’t investigate computer security, it investigates the veracity of advertising claims.  What Winkler believes the FTC should investigate is whether Apple is violating trade laws by claiming in its commercials that Macs are less affected by viruses than Windows.

Apple gives people the false impression that they don’t have to worry about security if they use a Mac.

Really? The ads don’t say Macs are invulnerable. They say that Macs don’t have the same problem with exploits that Windows has.  And it’s been the Macalope’s experience that people get that.  The switchers he’s come into contact with seem to know exactly the score: more people use Windows so malicious coders have, to date, almost exclusively targeted Windows.

Some people—many of them security professionals like WInkler—find this simple fact unfair.  Sadly, life isn’t fair.

Well, “sadly” for Windows users. Not so much for Mac users.  We’re kind of enjoying it.

And perhaps because the company is invested in fostering that impression, Apple is grossly negligent in fixing problems. The proof-of-concept code in this case is proof that Apple has not provided a fix for a vulnerability that was identified six months ago. There is no excuse for that.

On this point, the Macalope and Winkler are in agreement. There is no excuse for that.  The horny one thinks the company has been too lax on implementing a serious security policy and was one of many Mac bloggers to take the company to task for laughing off shipping infected iPods.  He’s hopeful the recent hire of security architect Ivan Krstic signals a new era for the company.

But let’s get back to Winkler’s call for an FTC investigation. Because that’s funnier.

The current Mac commercials specifically imply that Windows PCs are vulnerable to viruses and Macs are not.

Actually, no. What they say is that Windows PCs are plagued by viruses and Macs are not.

I can’t disagree that PCs are frequent victims of viruses and other attacks…

Ah, so we agree!

...but so are Macs.

Oops, no we don’t.

The Macalope would really love to have seen a citation here because it would have been hilarious.

In fact, the first viruses targeted Macs.

So “frequent” in terms of the Mac here is more on a geologic time scale. Got it.

Apple itself recommended in December 2008 that users buy antivirus software. It quickly recanted that statement, though, presumably for marketing purposes.

OK, let’s set the story straight here because Winkler’s version reads like something from alt.microsoft.fanfic.net.  The document in question was a minor technical note created in June of 2007 that got updated in December.  The company did not “recant” the statement, it pulled the note after it got picked up by the BBC, the Washington Post and CNet as some kind of shocking double-faced technology industry scandal.

By the way, did you know that Apple also markets Macs as easier to use, yet continues to sell books on how to use Macs in its stores? It’s true! But if it’s so easy to use, why all the books, Apple? Why? All? The? Books?

A ZDNet summary of 2007 vulnerabilities showed that there were five times more vulnerabilities for Mac OS than for all types of Windows PC operating systems.

No citation, but the Macalope knows what he’s talking about. He’s talking about this summary by George Ou.  George loved to drag these stats out because they always made Apple look worse than Microsoft. But he neglected to mention the many problems with this comparison, most importantly that Secunia, the source of the data, expressly counseled against using it to compare the relative security of the products listed because they’re tracked differently.

But buy Winkler’s book! The Macalope’s sure the rigor of the research in them is better than in this piece!

How can Apple get away with this blatant disregard for security?

How can Computerworld get away with printing unsourced accusations that were debunked a year and a half ago?

Its advertising claims seem comparable to an automobile manufacturer implying that its cars are completely safe and its competitors’ cars are death traps, when we all know that all cars are inherently unsafe.

That’s a really lousy analogy. But to work with it, it’s not that Apple’s saying its car is safer, it’s saying the roads in Macland are safer. Get out of that heavy city traffic and into the countryside.

The mainstream press really doesn’t cover Mac vulnerabilities…

The real mainstream press doesn’t cover vulnerabilities for any operating system. It covers attacks (even lame Mac attacks). The technology press, on the other hand, loves to cover Mac vulnerabilities, despite Winkler’s claim to the contrary, even though exploits of those vulnerabilities have never amounted to much.

When I made a TV appearance to talk about the Conficker worm, I mentioned that there were five new Mac vulnerabilities announced the day before. Several people e-mailed the station to say that I was lying, since they had never heard of Macs having any problems. (By the way, the technical press isn’t much better in covering Mac vulnerabilities.)

So, let’s get this straight. Winkler gets on TV and talks up Mac vulnerabilities in a segment about a Windows attack. But because he got five mean emails, the story we’re supposed to get is about how the coverage is all pro-Apple?  Were the five emails from TV news anchors or something?

And just to be clear, it is not that Apple’s software has security vulnerabilities that is the problem; all commercial software does. The problem is that Apple is grossly misleading people to believe otherwise.

Wow, there is an awful lot of loose talk about how badly Apple is misleading the public with its wild claims. It’s somewhat surprising that Winkler doesn’t get around to actually quoting any of those very dangerous claims that the FTC should immediately investigate.

The Macalope thought about going back and pulling the quotes from the commercials and showing how all they actually do is say the Mac simply doesn’t have the virus problems Windows does (true!), but then he thought, hey, Winkler’s the one making the accusations. Why shouldn’t he be forced to back them up?

But buy Winkler’s book! The Macalope’s sure it’s awesome.

Winkler’s right that all commercial software has vulnerabilities.  And Vista actually better implements technologies designed to make writing exploits harder. He’s also right that there’s been much to criticize Apple about over security.  But the mildly honest parts of Winkler’s piece conflate vulnerabilities and exploits in an effort to make the Mac look worse and the dishonest parts are just utter fabrications (e.g. Macs are “frequently” hit by viruses).

An FTC investigation?  That’s just standing on the diving board and jumping up and down yelling “Look at me! Look at me! Hey, everyone, look what I can do!”

If Winkler had a serious argument about there needing to be an FTC investigation, he would have linked to the FTC’s guidelines for the substance of advertising claims and contrasted them with quotes from Apple’s ads. But he didn’t do that.

Because he doesn’t have a serious argument to make.

But buy his book!

This post thanks to www.macalope.com

–Macalope

Using a Mac? Turn Off Java in Your Browser

By Rich

One of the great things about Macs is how they leverage a ton of Open Source and other freely available third-party software. Rather than running out and having to install all this stuff yourself, it's built right into the operating system.

But from a security perspective, Apple's handling of these tools tends to lead to some problems. On a fairly consistent basis we see security vulnerabilities patched in these programs, but Apple doesn't include the fixes for days, weeks, or even months. We've seen it in Apache, Samba (Windows file sharing), Safari (WebKit), DNS, and, now, Java. (Apple isn't the only vendor facing this challenge, as recently demonstrated by Google Chrome being vulnerable to the same WebKit vulnerability used against Safari in the Pwn2Own contest). When a vulnerability is patched on one platform it becomes public, and is instantly an 0day on every unpatched platform.

As detailed by Landon Fuller, Java on OS X is vulnerable to a 5 month old flaw that's been patched in other systems:

CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.

Landon proves his point with proof of concept code linked to his post.

Thus browsing to a malicious site allows an attacker to run anything as the current user, which, even if you aren't admin, is still a heck of a lot.

You can easily disable Java in your browser under the Content tab in Firefox, or the Security tab in Safari.

I'm writing it up in a little more detail for TidBITS, and will link back here once that's published.

–Rich

Get the iPhone or Not?

By Adrian Lane

It's kind of Apple Day here. Rich has been stuck in a 'Genius Bar' time warp all morning with a handful of dead Mac minis (Probably died from processor envy when the new Mac Pro arrived). Despite the recession, if you lose your appointment slot, you are going to be waiting a long time, as the AZ Apple stores are always packed. I would gladly have switched places with him, as I have spent all morning trying to decipher alien runes AT&T iPhone pricing plans. My cell phone provider, QuestQwest, is dropping all its cellular services and I now need two new phones. I thought this would be an easy decision as everyone I know seems to have an iPhone. Most people I know in the security profession have had their iPhones for a year or more and they love them. They really like to show off their eye-candy apps and what a powerful mobile computer the iPhone really is. But if 95% of your use is going to be phone calls, is it worth it?

As bad as the AT&T pricing is, the real issue is service. AT&T coverage and clarity sucks, or SUCKS, depending upon where in the country you live. I get phone calls from from friends and associates, usually someone I know who has some comment about how my recent blog post demonstrated a complete lack of knowledge, and I should really have done my homework prior to posting. And that person is really smart and is probably making really compelling arguments, but it comes across as a small child making motorboat noises while facing away from the phone. I can't help myself and laugh out loud. My laughter and saying "Dude!" really pisse them off, but the it is really hard to hear! And this is just the Securosis side of things. My wife and I drive lots of places where a clear connection is critical, and might have a life-threatening need to reach out and speak to someone who can help. In cases like this, a cool gadget loses every time to a reliable call.

I love all the Apple products I have purchased and will seriously consider the iPhone. But AT&T is not Apple, and when it comes down to it, service is the bulk of what I am paying for. I was really hoping the rumored Verizon branded iPhone Nano would happen as I could get the Apple product and have good coverage. I have been cruising Mac Rumors every day to see what's new. We'll see. There is a rumor that AT&T is dropping prices, which is nice, but Verizon is running a 2 for 1 sale on Blackberrys, which is even more compelling. I have another month or two of service before I have to make a decision, by which time the new iPhones should be out, and then I will make the decision.

–Adrian Lane

Macworld Coverage

By Rich

Macworld Expo may no longer be good enough for Apple, but it's still one of my conference highlights of the year. I'll be out there today through Thursday while Adrian manages the fort in Phoenix (I've managed to convince him that cleaning the cat litter while my wife is at work is a formal job responsibility, please don't tell him that's illegal and stuff).

Most of my writing this week will be over at TidBITS, but I'll pop some of my informal thoughts (and anything security related) over here at Securosis and on Twitter. And if any of you are over at the Expo, drop me a line and let's try to meet up.

For the record- I don't expect any earth shattering new announcements this week, but some nice incremental upgrades. To be honest, I'd rather have better stability and functionality with what I already own than some new device I'll get in trouble for buying.

P.S. Dear Apple, if you do announce anything insanely new and cool, please make it small enough to fit in my carry-on luggage. That is all.

–Rich

Apple Antivirus Thing: Much Ado About Nothing

By Rich

All right, people, here's the deal.

I just published my take on the whole "Apple he said/she said you do/don't need antivirus" thing over at TidBITS. Here's my interpretation of what happened:

1. Back in 2007 some support guy posted a list of major AV products supported on the Mac.
2. On November 21st, it was updated to reflect current version numbers.
3. Whoever wrote it is a shitty writer, and didn't realize how people would interpret it.
4. The press found it and trumpeted it to the world.
5. Apple management went, "WTF?!? We don't tell people they should install three different AV programs all at once. Hell, we never tell them they need AV at all. Not that we're going to tell them *not* to use it..."
6. The support article was pulled and statements issued.
7. Some people called it a conspiracy, because they like that sort of thing.
8. Somewhere deep in the bowels of 1 Infinite Loop, there is a pike, holding a bloody head, on prominent display.

So no, most of you don't need antivirus. You can read my article on this from back in March if you want more help deciding if you should take a look at AV on your Mac.

Alan Shimel is one of a group of people who think it's about time Mac users payed attention to security and installed AV. I like to break that argument into two sections. First, as I've learned since writing for TidBITS and Macworld, the average Mac user is definitely worried about security. But (second) this doesn't mean desktop AV is the right answer. Right now, the risk of malware infection on the Mac is so low for the average user that AV really doesn't make sense. That can change, heck, it probably will change, but that's the situation today. Thus I recommend most people use mail filtering and browse safely rather than installing desktop AV.

Not recommending AV isn't Apple's ego (and I don't deny they have an ego), it's a reflection of the risk to users in the current environment. Now the odds are us Mac security types will recommend AV long before Apple does, but that day definitely isn't here yet.

Apple didn't reverse their policies- something slipped out from the lower levels by accident, and all the hubbub is much ado about nothing.

The day will likely come when Mac users need additional malware protection, but today isn't that day, and even then, AV may not be the answer. Read my older article on this, and keep up with the news so you'll know when the time comes.

–Rich

Three Steps Forward, One Back

By Adrian Lane

What did you think of the new MacBook? I think they are nice, I don't want a new one bad enough to upgrade. I bought my MacBook last month knowing full well that they were going to release the new models on the 14th of this month, but the advancements would not be enough for me to wait. Most of the articles & analysis I read were a little harsh, with much of the focus on the price drop, or lack of drop, when I was focused on usability. Maybe they are right, and with the economic slowdown the price reduction is not enough to capture larger appeal and Apple will get hammered.

Still, I think this is a nice advancement. I had seen the leaked photos of the Aluminum case and that looked a lot nicer and more durable that the plastic one; when you travel as much as I do, that seems to be a very nice upgrade. And as it has proven to be with my aluminum desktop cases, I am sure that the heat loss through the case itself will be valuable in keeping the machine cooler with faster processors that we will be made available in the future. If you have ever over-clocked machines before, you know how much Aluminum cases help dissipate heat and improve the lifespan of electronic components.

The biggest problem I have with my MacBook is the mediocre video quality. It's not just that the graphics card in the current model is under-powered, rather the color, contrast and sharpness it is just 'Blah'! The new LED backlit display should solve much f this problem. Yeah, the graphics engine is a big boost as well, but really, what hard core gamer is going to use a laptop for a first person shooter? I thought not.

I am going to call the Mini-display port a wash. Why? It will be awesome when attached to the new 24 inch monitor, no doubt about that. But how many MacBook owners are going to buy a $900.00 Monitor? If the analysts are complaining the price $999.00 point is too high for the MacBook, doubling the price makes this option miss the target buyer. Nice technology, perhaps not appropriate for the current generation of buyers. 

Personally I am glad that the BluRay player was not included in the new MB. This, in my opinion, is the current generation of Laserdisc players. Yes it offers better performance, but few want it. Did you see that only some 8 million Blu-Ray disks have been sold this year? They have sold almost that many Blu-Ray players if you take into account the current generation of Playstations; this is a dismal adoption rate. And if you are like me, I would rather have video on demand as it seems like a more dynamic & efficient way to get movies and television. And I am not lugging around Blu-Ray player that will probably be obsolete within months. All of which is in line with Apple's strategy (http://www.apple.com/appletv/whatson/movies.html).

That takes us to my one disappointment: Firewire. This is how I will hook up my Drobo. This is how I hook up my camera. This is how I update the maps on my Garmin. It's fast. It's nice to have the option. Sure I can get adaptor cables and use USB, but I would have preferred a dedicated port. Removing this was probably not such a good idea, and I wonder if we will see its return in future models.

All in all, I think the MacBook made three steps forward and one back; couple that with a price drop and I say that is pretty darn good!

–Adrian Lane

Dark Reading Column: Attack Of The Consumers (And Those Pesky iPhones)

By Rich

I have a sneaking suspicion my hosting provider secretly hates me after getting Slashdotted twice this week. But I don't care, because in less than 48 hours it's iPhone Day!!!

Okay, so I already have one and all the new one adds is a little more speed, and a GPS that probably isn't good enough for what I need. But I use the friggen thing so darn much I can definitely use that speed.

It's been up for a few days, but with everything else going on I'm just now getting back to my latest Dark Reading column. This month I take a look at what may be one of the most disruptive trends in enterprise technology- the consumerization of IT. Here's an excerpt:

That's the essence of the consumerization of IT. Be it laptops, cellphones, or Web services, we're watching the walls crumble between business and consumer technology. IT expands from the workplace and permeates our entire lives. From home broadband and remote access, to cellphones, connected cars, TiVos, and game consoles with Web browsers. Employees are starting to adapt technology to their own individual work styles to increase personal productivity. The more valued the knowledge worker, the more likely they are to personalize their technology — work provided or not. Some companies are already reporting difficulties in getting highly qualified knowledge workers and locking them into strict IT environments. No, it's not like the call center will be running off their own laptops, but they'll probably be browsing the Web, sending IMs, and updating their blogs off their phones as they sit in front of their terminals. This is far from the end of the world. While we need to change some of our approaches, we're gaining technology tools and experience in running looser environments without increasing our risk. There are strategies we can adopt to loosen the environment, without increasing risks:

–Rich

Don’t Use chmod To Block Mac OS X ARDAgent Vulnerability

By Rich

Just a quick note- if you used chmod to change the permissions of ARDAgent to block the privilege escalation vulnerability being used by the new trojans you should still go compress or remove it. Repairing permissions restores ARDAgent and opens the vulnerability again.

I suppose you could also make sure you don't repair permissions, but it's easiest to just remove it.

I removed the chmod recommendation from the TidBITS article.

–Rich

Improving OS X Security

By Rich

There's been a bunch of news on the Mac security front in the past couple of weeks. From the Safari carpet bombing attack, to a couple trojans popping up. Over the weekend I submitted an email response to a press interview where I outlined my recommended improvements to OS X to keep Macs safer than Windows. On the technical side they included elements like completing implementation of library randomization (ASLR), adding more stack protection to applications, enhancing and extending sandboxing to most major OS X applications, running fewer processes as root/system, and more extensive use of DEP. I'm not bothering to lay this out in any more depth, because Dino Dai Zovi did a much better job of describing them over on his blog. Dino's one of the top Mac security researchers out there, so I highly suggest you read his post if you're interested in OS X security.

There are a few additional things I'd like to see, outside of the OS level changes:

1. A more-deeply staffed Apple Security Response Center, with public facing side to better communicate security issues and engage the research community. Apple absolutely sucks at working with researchers and communicating on security issues. Improvements here will go a way to increase confidence, manage security issues, and avoid many of the kinds of flareups we've seen in the past few years.
2. Better policies on updating open source software included with OS X. In some cases, we've seen vulnerabilities in OS X due to included open source software, like Samba and Apache, that are unpatched for MONTHS after they are publicly known. These are fully exploitable on Macs and other Apple products until Apple issues an update. I realize this is a very tough issue, because Apple needs to run through extensive evaluation and testing before releasing updates, but they can mitigate this timeline by engaging deeply with those various open source teams to reduce the windows where users are exposed to the vulnerabilities.
3. An Apple CSO- someone who is both the internal leader and external face of Apple security. They need an evangelist with credibility in the security world (no, I'm not trolling for a job; I don't want to move to California, even for that).
4. A secure development lifecycle for Apple products. The programmers there are amazing, but even great programmers need to follow secure coding practices that are enforced with tools and process.

I have suspicions we might see some of these technical issues fixed in Snow Leopard, but the process issues are just as important for building and maintaining a sustainable, secure platform.

–Rich

I’m With Ptacek- I Run My Mac As Admin

By Rich

I'm still in New York for the FISD conference, listening to Team Cymru talk about the state of cybercrime as I wait for my turn at the podium (to talk about information-centric security and DLP). One problem with travel is keeping up with the news, so I pretty much missed the Applescript vulnerability and now have to write it up for TidBITS on the plane before Monday.

I was reading Thomas Ptacek's post on the vulnerability, and I think it's time I joined Tom and came out of the closet.

I run as admin on my Mac. All the time. And I'm not ashamed. Why? As Ptacek said, even without root/admin there's a ton of nasty things you can do on my system. In fact, you can pretty much get anything I really worry about. I even once wrote some very basic Applescript malware that ran on boot (after jailbreaking an improperly configured virtual machine). It didn't need admin to work.

There. I feel better now. Glad to get that out there.

(If you're going to criticize this, go read Tom's post and talk to him first. He's smarter than me, and not on an airplane.)

–Rich

Formatting An iPhone To Wipe Data

By Rich

It appears people are recovering data off old iPhones. Whoops- looks like you can pull data out of memory using forensics tools, just like any other platform. While your Mac includes the ability to overwrite old data when formatting your hard drive to prevent recovery (very cool that this is included in a consumer operating system), there is no equivalent mechanism to clear off that "ancient" original iPhone when you trade up to the 3G version next month.

For those of you who aren't just convincing your spousees to take your "old" iPhone off your hands to justify that new toy, Securosis presents a simple process to minimize the chances of recovery. It's not perfect, but it's easy and should offer enough protection for those of you forced to eBay your once-precious-but-now-obsolete device:

1. Restore the iPhone from within iTunes.
2. On the "Info" tab, un-check all options so you don't synchronize calendars, email, bookmarks, and contacts.
3. On the Photos, Podcasts, and Video tabs, uncheck "Sync ...".
4. Create 3 big playlists at large as the storage capacity of your iPhone.
5. On the Music tab, select the first of your 3 playlists to sync. Make sure the storage bar at the bottom looks full after syncing.
6. Sync your iPhone, change to the next playlist, sync again, and repeat one last time.

This will hopefully overwrite any of the free space on your phone, helping prevent recovery of any of those love letters and bad jokes lingering from old emails. I won't have a chance to test this anytime soon, and odds are high some fragments will survive depending on how the iPhone allocates at the file system level, but this should be more than sufficient to prevent casual recovery of sensitive stuff if you'd like to hock your "old" phone.

–Rich