Security professionals seem to have a strained relationship with Apple these days. Any trip to a security conference shows that more and more security professionals are using Macs on a regular basis. A not-insignificant percentage of the high-end industry types I know shows they all use Macs and iPhones; at home if not at work, often against corporate policy.
Yet Appleās view on security is veryā¦ 2001. They do not follow a security development lifecycle. Marketing seems to play too strong a role in security decisions, especially when dealing with researchers. They never finished most of the security features of Leopard, and some products (especially QuickTime) are running at very high vulnerability rates.
The first thing we need to get out of the way is that Macs are currently safer to use than Windows XP, even if they arenāt as secure. There just arenāt as many exploits out there in the wild. Vista is more secure, but I find it unusable. This can, and will, change over time as Macs continue to rise in popularity and become a bigger target.
Thus, as a security professional I have mixed feelings about Apple. I feel somewhat hypocritical about supporting a company that doesnāt prioritize my bread and butter, but Iām not overly pleased with Windowās UI failings or Linuxās peculiarities. Iāve made the decision to pick the OS that best fits my work and productivity needs, then do what I can to improve the security of the platform.
Which gives me three options:
- Work for Apple. They havenāt called and Iām not waiting.
- Discover and report vulnerabilities, hoping theyāll get patched. I suck at this, so not the best option.
- Criticize and constantly pressure them in public, hoping to embarrass them into change. Theyāll call me a raving loon, then ignore and marginalize me.
- Actively engage with the Apple community, give Apple credit for what they get right, and point out where they get things wrong while educating Mac users. This hopefully gains me enough credibility that they canāt simply dismiss me as anti-Apple and I can help the Mac community pressure Apple for needed change.
Apple is far from perfect and their security needs a ton of work, but Iām taking a reasoned approach and hoping that by engaging and educating their customers (and thus Apple, indirectly), we can spur change.
On that note, Iām off to the Macworld Expo show floor to meet with various vendors (including security vendors) and to play with my new iPhone (yes, Iām weak).
<
p style=ātext-align:right;font-size:10px;ā>Technorati Tags: Apple
Reader interactions
10 Replies to “On My Curious Relationship With Apple And Security”
[…] On My Curious Relationship With Apple And Security | securosis.com Interessante post sobre a seguranƧa nos Mac pelas mĆ£os de Rich Mogull, especialista no assunto e recĆ©m convertido aos Macs. Acabou de oficializar a sua colaboraĆ§Ć£o com a TidBits. (tags: security Rich_Mogull) […]
Case in point:
http://www.cisco.com/en/US/products/products_security_advisory09186a008093942e.shtml
I know, off topic from Appleābut just goes to show how bad Cisco is at stupid little stuff like handling exceptions that donāāt create panics like this.
It seems Iāām not the only one of the opinion that Appleās popularity is going to bring out all the vulnerabilities.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058198&source=rss_topic85
The discussion about titles is interesting to me- Iāām very recently entered into this world of security with a BS and I passed the CISSP exam (though my work experience limits me to Associate of (ISC)Ā² ) . I am not a technical security person at all, the CISSP is so very overview centric, and I donāāt like to use the title “Engineer” but job search engines seem to find more when I do. I lean to the “Analyst” title, but being a newbie, I hesitate on that too. Iāām not sure what to title myself.
[…] Mogul talkes about his āCurious Relationship With Apple And Securityā and what he wants to do in the future: āActively engage with the Apple community, give Apple […]
Oh, I agree on the engineer title. Itās why I donāāt call myself a programmer, even though Iāāve programmed professionally. I came up on the technical side as a systems and network administrator, and I wonāāt use the title “engineer”.
Also keep in mind that many pundit types do have real technical backgrounds, but as they progress through their career itās hard to keep those skills as you move to the business side. I like to think I do it better than most, but thatās only because Iāām a huge geek who enjoys re-wiring his house for home automation on the weekends and hacking WRTs.
On SDLC- Iāām using the term Security Development Life Cycle, not Software Development. APple obviously has a software development cycle, but there is no formal security development cycle. Thatās huge, and something theyāāll have to do eventually. It takes years to implement, but when it works you get things like SQL Server 2005 (only 1 known vulnerability since release).
As for the researchers talking to me- there is a very tight community of trust involved, and even then I donāāt get code samples. No hypocrisy involved; itās no different than doctors or police officers carefully exchanging case notes. These were all responsibly reported to Apple and have yet to make it public, although they are sometimes independently discovered (e.g. a new tool is released, lowering the skill level required for discovery). Most of these researchers will never disclose unless a product is patched.
Iāām curious, because most often times vulnerabilities that are quietly reported to the vendor first will get out into the wild eventually. I find it hard to believe that most security researches wouldnāāt give Apple the chance to take the opportunity, and then if not announce it to the world to make it a priority. Although not exactly ethical that tactic has proven quite reliable in the past. The thing that is interesting to me is that if security researchers are telling you, then theyāāre also telling others. Which is hard to keep tightly closed in this day and ageā¦ If someone truly does not believe in full disclosure then you would never hear it. Telling anyone makes that researcher a hypocrite of sorts because the faintest of insight can provide a fast track to potentially malicious users.
I think itās laughable to propose that Apple has no software development life cycle in place. Itās impossible to write an entire OS without one. Now, whether or not they have a specific cycle for security practices is another question. But every company Iāāve worked for (Lockheed Martin probably had one of the best Iāāve seen) has always followed a strict process around this sort of functionāI canāāt imagine Apple not having one.
With regards to “security” and “safety”āIāām not sure what exactly youāāre trying to make a point of. Security, in my mind, is the intrinsic valuation of risk based on an assessment with regards to a monetary value (because all things can be given a price tag), not safety. If I am at risk then I have bad or weak security. Security is just a buzzword. So is information assurance (however, a better idea for describing the situationāI know Hoff renamed his site to this, probably after he saw Norwichās IA Masters program titleātheyāāve been calling it that for years). “Safety” is a new one for me. I also donāāt see security as theoretical. If I wanted to look at that side of the coin Iāād be looking at a risk assessment. “Theoretically I am 100% secure with no patches because this machine will never be turned on and stored in a glass bubble.”
In the end I donāāt think anybody was attacking your professional cred in particular here. I think there are too many people who donāāt have the background and throw up a blog and discuss it. I think the differential that I get frustrated with in this space is those who do and those who write about it. I find it hard to believe people are “professional security researchers” who write process and risk management papers around security. These are usually not the people down at the very technical level. I think thereās a vast difference in being a security engineer (as in doing) and a security practitioner / analyst. I wish there was a gold standard to differentiate, but alas nothing will ever exist in this space. In Texas to hold a formal “engineering” title you have to have a degree to back it. However, when I worked for LM I was a “systems engineer”āalthough my major in college (B.S. in Telecommunications Systems) was not an engineering undergrad program at all. Sure, I did all of the math, CS, digital, comms, and lots and lots of NetAcad. But I never really thought of myself as a tried and true “engineer”. Maybe a network engineer, but I never did formal systems engineering coursework until after my undergradā¦ And then I realized what it really means to hold the title of a real engineer. In the end too many people give themselves too big of titles and itās annoying. Iāām not saying, in particular, you Richābut Iāām sure you see a lot of this along with the rest of us.
I know of multiple vulnerabilities that were quietly reported to Apple by responsible security vendors and mishandled. In many cases, I believe itās because they never made it to the few security engineers who could have resolved the issue in a timely fashion.
None of this, of course, makes it public because none of the people involved believe in full disclosure. They donāāt self-promote and thus these problems never make it to light. As a security researcher, but not vulnerability research, I NEVER disclose any of these situations, but they do taint my analysis.
We canāāt perform real statistical information since we will never have the complete numbers. What we do know is that the security department is under-staffed, under-budgeted, and there is no SDLC in place.
All of those are situations Apple will need to remedy as the platform becomes more popular. Iāām a heavy, practically exclusive, user of Apple products and despite the security shortcomings I still feel comfortable using the products because of the relatively low risk. This is the difference between “security” (how theoretically secure something is), and “safety” (the real level of risk based on threats). @windexh8r, you seem to be looking only at safety, not security.
I bring these issues up to educate customers who will eventually apply market pressure on Apple for better security. I also balance this with my love of Apple products. Iāām far from one of those random bloggers that just whines about security without any real knowledge or doing anything about it. Iāām a professional industry analyst and researcher with years of experience and a solid, public, track record.
You can decide for yourself.
Saying that Apple are slow to respond to vulnerabilities and that they ignore vulnerabilities are two very different claims. The first can be backed up with statistics-and in Appleās defense, the funding the security department receives is laughable compared to Microsoft. However your second claim is simply untrueā¦ While Apple may be slow to address issues, show me a single responsible vulnerability reporter who Apple ignored, or a mistreated. Every security advisory they put out contains credit information, so it should be easy to contact these people and ask them about their experience. It often seems like bloggers and self-marketers with little real security research experience criticize loudly and ignorantly while real security reaearchers quietly report vulnerabilities and receive credit. Making this claim without conducting a statistical analysis of how legitimate reporters of issues feel is doing a disservice to your readers and is unfair to those at Apple who work hard with external reporters.
@forrestmage
I know, I was just clarifying for the uninformed. š
Firefox 3 too. Oh wait, itās beta. Someone bust out the fuzzer! Anyway, who needs Javascript, AJAX, and the web 2.0 goodnessā¦ Letās all just switch to Links where the web is best viewed in less than 10 colors. No cheating, I know about āālinks -gāā!
@windxh8er
Just to make sure you arenāāt misunderstanding me- I know MacSweeper doesnāāt use an exploit, my point is that it targets mac users. Yes weāāre all used to seeing these for Windows, but now it has become profitable to do the same thing on Mac. My point is that if it is now profitable to target macs with scareware, it wonāāt be long until we see the true quantity of mac exploits as it becomes profitable to actually *look* for them.
At the same time though, I think the Windows/Mac security debate is going the way of the Dodo as exploits are turning to target web apps that every browser supports, regardless of publisher. Letās compare IE7, Safari 3.0, Firefox 2.x, and whatever realease Opera is on and how they handle web exploits. Iāām curious to here what all of you think of this trend.