Security professionals seem to have a strained relationship with Apple these days. Any trip to a security conference shows that more and more security professionals are using Macs on a regular basis. A not-insignificant percentage of the high-end industry types I know shows they all use Macs and iPhones; at home if not at work, often against corporate policy.
Yet Apple’s view on security is very… 2001. They do not follow a security development lifecycle. Marketing seems to play too strong a role in security decisions, especially when dealing with researchers. They never finished most of the security features of Leopard, and some products (especially QuickTime) are running at very high vulnerability rates.
The first thing we need to get out of the way is that Macs are currently safer to use than Windows XP, even if they aren’t as secure. There just aren’t as many exploits out there in the wild. Vista is more secure, but I find it unusable. This can, and will, change over time as Macs continue to rise in popularity and become a bigger target.
Thus, as a security professional I have mixed feelings about Apple. I feel somewhat hypocritical about supporting a company that doesn’t prioritize my bread and butter, but I’m not overly pleased with Window’s UI failings or Linux’s peculiarities. I’ve made the decision to pick the OS that best fits my work and productivity needs, then do what I can to improve the security of the platform.
Which gives me three options:
- Work for Apple. They haven’t called and I’m not waiting.
- Discover and report vulnerabilities, hoping they’ll get patched. I suck at this, so not the best option.
- Criticize and constantly pressure them in public, hoping to embarrass them into change. They’ll call me a raving loon, then ignore and marginalize me.
- Actively engage with the Apple community, give Apple credit for what they get right, and point out where they get things wrong while educating Mac users. This hopefully gains me enough credibility that they can’t simply dismiss me as anti-Apple and I can help the Mac community pressure Apple for needed change.
Apple is far from perfect and their security needs a ton of work, but I’m taking a reasoned approach and hoping that by engaging and educating their customers (and thus Apple, indirectly), we can spur change.
On that note, I’m off to the Macworld Expo show floor to meet with various vendors (including security vendors) and to play with my new iPhone (yes, I’m weak).
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: Apple
Reader interactions
10 Replies to “On My Curious Relationship With Apple And Security”
[…] On My Curious Relationship With Apple And Security | securosis.com Interessante post sobre a segurança nos Mac pelas mãos de Rich Mogull, especialista no assunto e recém convertido aos Macs. Acabou de oficializar a sua colaboração com a TidBits. (tags: security Rich_Mogull) […]
Case in point:
http://www.cisco.com/en/US/products/products_security_advisory09186a008093942e.shtml
I know, off topic from Apple—but just goes to show how bad Cisco is at stupid little stuff like handling exceptions that don’‘t create panics like this.
It seems I’‘m not the only one of the opinion that Apple’s popularity is going to bring out all the vulnerabilities.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058198&source=rss_topic85
The discussion about titles is interesting to me- I’‘m very recently entered into this world of security with a BS and I passed the CISSP exam (though my work experience limits me to Associate of (ISC)² ) . I am not a technical security person at all, the CISSP is so very overview centric, and I don’‘t like to use the title “Engineer” but job search engines seem to find more when I do. I lean to the “Analyst” title, but being a newbie, I hesitate on that too. I’‘m not sure what to title myself.
[…] Mogul talkes about his “Curious Relationship With Apple And Security” and what he wants to do in the future: “Actively engage with the Apple community, give Apple […]
Oh, I agree on the engineer title. It’s why I don’‘t call myself a programmer, even though I’‘ve programmed professionally. I came up on the technical side as a systems and network administrator, and I won’‘t use the title “engineer”.
Also keep in mind that many pundit types do have real technical backgrounds, but as they progress through their career it’s hard to keep those skills as you move to the business side. I like to think I do it better than most, but that’s only because I’‘m a huge geek who enjoys re-wiring his house for home automation on the weekends and hacking WRTs.
On SDLC- I’‘m using the term Security Development Life Cycle, not Software Development. APple obviously has a software development cycle, but there is no formal security development cycle. That’s huge, and something they’‘ll have to do eventually. It takes years to implement, but when it works you get things like SQL Server 2005 (only 1 known vulnerability since release).
As for the researchers talking to me- there is a very tight community of trust involved, and even then I don’‘t get code samples. No hypocrisy involved; it’s no different than doctors or police officers carefully exchanging case notes. These were all responsibly reported to Apple and have yet to make it public, although they are sometimes independently discovered (e.g. a new tool is released, lowering the skill level required for discovery). Most of these researchers will never disclose unless a product is patched.
I’‘m curious, because most often times vulnerabilities that are quietly reported to the vendor first will get out into the wild eventually. I find it hard to believe that most security researches wouldn’‘t give Apple the chance to take the opportunity, and then if not announce it to the world to make it a priority. Although not exactly ethical that tactic has proven quite reliable in the past. The thing that is interesting to me is that if security researchers are telling you, then they’‘re also telling others. Which is hard to keep tightly closed in this day and age… If someone truly does not believe in full disclosure then you would never hear it. Telling anyone makes that researcher a hypocrite of sorts because the faintest of insight can provide a fast track to potentially malicious users.
I think it’s laughable to propose that Apple has no software development life cycle in place. It’s impossible to write an entire OS without one. Now, whether or not they have a specific cycle for security practices is another question. But every company I’‘ve worked for (Lockheed Martin probably had one of the best I’‘ve seen) has always followed a strict process around this sort of function—I can’‘t imagine Apple not having one.
With regards to “security” and “safety”—I’‘m not sure what exactly you’‘re trying to make a point of. Security, in my mind, is the intrinsic valuation of risk based on an assessment with regards to a monetary value (because all things can be given a price tag), not safety. If I am at risk then I have bad or weak security. Security is just a buzzword. So is information assurance (however, a better idea for describing the situation—I know Hoff renamed his site to this, probably after he saw Norwich’s IA Masters program title—they’‘ve been calling it that for years). “Safety” is a new one for me. I also don’‘t see security as theoretical. If I wanted to look at that side of the coin I’‘d be looking at a risk assessment. “Theoretically I am 100% secure with no patches because this machine will never be turned on and stored in a glass bubble.”
In the end I don’‘t think anybody was attacking your professional cred in particular here. I think there are too many people who don’‘t have the background and throw up a blog and discuss it. I think the differential that I get frustrated with in this space is those who do and those who write about it. I find it hard to believe people are “professional security researchers” who write process and risk management papers around security. These are usually not the people down at the very technical level. I think there’s a vast difference in being a security engineer (as in doing) and a security practitioner / analyst. I wish there was a gold standard to differentiate, but alas nothing will ever exist in this space. In Texas to hold a formal “engineering” title you have to have a degree to back it. However, when I worked for LM I was a “systems engineer”—although my major in college (B.S. in Telecommunications Systems) was not an engineering undergrad program at all. Sure, I did all of the math, CS, digital, comms, and lots and lots of NetAcad. But I never really thought of myself as a tried and true “engineer”. Maybe a network engineer, but I never did formal systems engineering coursework until after my undergrad… And then I realized what it really means to hold the title of a real engineer. In the end too many people give themselves too big of titles and it’s annoying. I’‘m not saying, in particular, you Rich—but I’‘m sure you see a lot of this along with the rest of us.
I know of multiple vulnerabilities that were quietly reported to Apple by responsible security vendors and mishandled. In many cases, I believe it’s because they never made it to the few security engineers who could have resolved the issue in a timely fashion.
None of this, of course, makes it public because none of the people involved believe in full disclosure. They don’‘t self-promote and thus these problems never make it to light. As a security researcher, but not vulnerability research, I NEVER disclose any of these situations, but they do taint my analysis.
We can’‘t perform real statistical information since we will never have the complete numbers. What we do know is that the security department is under-staffed, under-budgeted, and there is no SDLC in place.
All of those are situations Apple will need to remedy as the platform becomes more popular. I’‘m a heavy, practically exclusive, user of Apple products and despite the security shortcomings I still feel comfortable using the products because of the relatively low risk. This is the difference between “security” (how theoretically secure something is), and “safety” (the real level of risk based on threats). @windexh8r, you seem to be looking only at safety, not security.
I bring these issues up to educate customers who will eventually apply market pressure on Apple for better security. I also balance this with my love of Apple products. I’‘m far from one of those random bloggers that just whines about security without any real knowledge or doing anything about it. I’‘m a professional industry analyst and researcher with years of experience and a solid, public, track record.
You can decide for yourself.
Saying that Apple are slow to respond to vulnerabilities and that they ignore vulnerabilities are two very different claims. The first can be backed up with statistics-and in Apple’s defense, the funding the security department receives is laughable compared to Microsoft. However your second claim is simply untrue… While Apple may be slow to address issues, show me a single responsible vulnerability reporter who Apple ignored, or a mistreated. Every security advisory they put out contains credit information, so it should be easy to contact these people and ask them about their experience. It often seems like bloggers and self-marketers with little real security research experience criticize loudly and ignorantly while real security reaearchers quietly report vulnerabilities and receive credit. Making this claim without conducting a statistical analysis of how legitimate reporters of issues feel is doing a disservice to your readers and is unfair to those at Apple who work hard with external reporters.
@forrestmage
I know, I was just clarifying for the uninformed. 🙂
Firefox 3 too. Oh wait, it’s beta. Someone bust out the fuzzer! Anyway, who needs Javascript, AJAX, and the web 2.0 goodness… Let’s all just switch to Links where the web is best viewed in less than 10 colors. No cheating, I know about ‘‘links -g’‘!
@windxh8er
Just to make sure you aren’‘t misunderstanding me- I know MacSweeper doesn’‘t use an exploit, my point is that it targets mac users. Yes we’‘re all used to seeing these for Windows, but now it has become profitable to do the same thing on Mac. My point is that if it is now profitable to target macs with scareware, it won’‘t be long until we see the true quantity of mac exploits as it becomes profitable to actually *look* for them.
At the same time though, I think the Windows/Mac security debate is going the way of the Dodo as exploits are turning to target web apps that every browser supports, regardless of publisher. Let’s compare IE7, Safari 3.0, Firefox 2.x, and whatever realease Opera is on and how they handle web exploits. I’‘m curious to here what all of you think of this trend.