Update:
After publishing this, I realized I should have taken more time editing, especially after Apple released their iOS Security paper this week. My intention was to refer to situations where, often due to attacks, vulnerabilities, or other events, Apple is pushed into responding. They can still struggle to balance the lines between what they want to say, and what outsiders want to hear. They have very much improved communications with researchers, the media, and the level of security information they publish in the open. It is the crisis situations that knock things off kilter at times.
I am sometimes called an Apple apologist for frequently defending their security choices, but it wasn’t always that way. I first started writing about Apple security because those were the products I used, and I was worried Apple didn’t take security seriously. I was very personally invested in their choices, and there were a lot of reasons when I first posted this back in 2006 to think we were headed for disaster.
In retrospect, my post was both on and off target. I thought at the time that Apple needed to focus more on communications. But Apple, as always, chose their own path. They have improved communications significantly, but not nearly as much as someone like Microsoft. But at the same time they tripled down on security. iOS is now one of the most secure platforms out there (yes, even despite the patch last week). OS X is also far more secure than it was, and Apple continues to invest in new security options for users.
I was right and I was wrong. Apple recognized, due to the massive popularity of iOS, that building customer trust was essential to maintaining a market lead. They acted on that with dramatic improvements in security. iOS has yet to suffer any major wide-scale exploitation. OS X added features like FileVault 2 (encryption for the masses) and GateKeeper (wrecking malware markets). Apple most definitely sees security as essential to trust. But they still struggle with communications. Not that I expect them to ever not act like Apple, but they are still feeling their way around the lines to find a level they are comfortable with culturally, which still avoids negative spin cycles like I talk about below.
This post originally appeared on October 18, 2006
Apple, Security, and Trust
Before I delve into this topic I’d like to remind readers that I’m a Mac user and Apple fan. We are a 2 person, 2 Mac, 3 iPod, 2 Airport Express household, with another Mac in the plans this spring. By the same token I don’t think Microsoft is evil and consider some of their products to be quite good. That said I prefer OS X and have no plans to switch to Vista, although I’ll probably run it in a virtual machine on my Mac.
What I’m about to say is in the nature of protecting, not attacking, one of my favorite vendors. Apple faces a choice. Down one path is the erosion of trust, lost opportunities, and customers facing increased risk. On the other path is increased trust, greater opportunities, and happy, safe, customers. I have a lot vested in Apple, and I’d like to keep it that way.
As most of you probably know by now, Apple shipped a limited number of video iPods loaded with a Windows virus that could infect an attached PC. The virus is well known and all antivirus software should stop it, but the reality is this is an extremely serious security failure on the part of Apple. The numbers are small and damages limited, but there was obviously some serious breakdown in their security controls and QA process.
As with many recent Apple security stories this one was about to quietly fade into the night were it not for Apple PR. In Apple’s statement they said, “As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.”. As covered by George Ou and Amrit Williams, this statement is embarrassing, childish, and irresponsible. It’s the technical equivalent of blaming a crime victim for their own victimization. I’m not defending the security problems of XP, which are a serious epidemic unto themselves, but this particular mistake was Apple’s fault, and easily preventable.
While Mike Rothman agrees with Ou and Williams, he correctly notes that this is just Apple staying on message. That message, incorporated into all major advertising and marketing, is that Macs are more secure and if you’d just switch to a Mac you wouldn’t have to worry about spyware and viruses.
It’s a good message, today, because it’s true. I bought my mom a Mac and talked my sister into switching her small business to Macs primarily because of security. I’m overprotective and no longer feel my friends and family can survive on the Internet on XP. Vista is a whole different animal, fundamentally more secure than its predecessors, but it’s not available yet so I couldn’t consider that option. Thus it was iMac and Mac mini city.
But when Apple sticks to this message in the face of a contradictory reality they expose themselves, and their customers, to greater risks. Reality is starting to change and Apple isn’t, and therein lies my concern.
All relationships are founded on trust and need. (Amrit has another good post on this topic in business relationships). One of the keystones of trust is security. I like to break trust into three components:
- Intent: How do you intend to treat participants in a relationship?
- Capability: Can you behave in compliance with your intent?
- Communication: Can you effectively communicate both your intent and capability?
Since there’s no perfect security we always need to make security tradeoffs. Intent decides how far you need to go with security, while capability defines if you’re really that secure, and communication is how you get customers to believe both your intent and capability.
Recent actions by Apple are breaking their foundations of trust. As a business this is a critical issue; Apple relies heavily on trust to grow their market. Trust that their products work well, are simple to use, include superior capabilities, and are more secure. Apple’s message is that Macs are secure, simple, elegant, and reliable. Safe and secure is a powerful message, one that I suspect (based on personal experience) drives many switchers. When I told my cab driver today that Macs have no spyware or active viruses he was stunned.
Should Apple lose either their intent to provide superior security, their capability to achieve security, or their ability to communicate either of those, they face reasonable risk of losing customers, or at least growth opportunities. Security, today, is one of Apple’s cornerstones. Anything that erodes it increases their business risks.
At the same time, should communication disconnect from either intent or capability, Apple places then places both their trust relationship, and their customers, at risk. Take my favorite snake-oil salesmen at Diebold– by having no intent to secure their products and no security capabilities in their products, and communicating that the products are secure, they create huge potential for security failures. Less educated customers buy products thinking they’re secure, but the products are so flawed it places these customers (the voting public) at extreme risk. Software vendors have done this in the past – claiming products are secure and covering up failures in the hopes the customers and prospects won’t notice.
Recent events indicate that Apple may stay on an impossible message (perfect security) and face failures in capability despite the best intent. The entire Black Hat debacle showed Apple pushing the message so hard that the debate lived far longer than needed, exposing more of the public to a potential security failure than would have otherwise noticed, drawing the attention of researchers who may now want to prove Apple isn’t invincible, and losing the trust of some of us in the industry disappointed by PR’s management of the incident.
The iPod virus infections shows a lack of capability (security QA in shipping products) and poor communications (failure to take full responsibility). It’s a very small problem, but their arrogant approach to spinning the story lead me to question how they might respond to more serious issues. We have, over the course of a couple months, two incidents where Apple decided to play the PR game rather than taking responsibility and communicating openly. I realize those of you that still believe the wifi hack was BS probably believe Apple dealt with the situation reasonably, but for reasons I can’t disclose I still think PR overrode good security practices.
The latest security updates indicate that OS X, while still materially more secure than XP, has its own fair share of flaws. We’ve seen zero day vulnerabilities in Safari, multiple holes in QuickTime, wireless vulnerabilities, and even a flaw that could allow a specially crafted image sent in email to exploit and own your Mac. The first time Microsoft patched an image vulnerability like that I spammed all my friends and family to update their computers pronto. Macs are pretty secure, but not invulnerable, and fortunately we’ve managed to avoid any significant mass exploits. I’d really like that trend to continue.
Let’s look back on the three components of trust. Right now I believe Apple still intends to keep us secure; of that I have little doubt. The next release of the operating system should be very telling – should they adopt some more advanced OS security features, like memory randomization (a very cool feature of Vista) it will indicate they continue to push towards a secure OS. So far they’ve done pretty well. Next is communication, which is a mixed bag. On one hand, the message is clear and unambiguous – Macs are secure. On the other hand is their arrogance, as best illustrated in the response to the iPod virus and the wifi vulnerability. Those are early indications that the message could exceed reality, eventually (probably) leading to an erosion of trust.
The linchpin is capability. As I already stated – OS X is materially more secure than Windows XP, but is far from perfect. We’ll eventually see a mass exploit (I hope I’m wrong). Recent vulnerability disclosures by Apple themselves indicate that the kinds of serious flaws that lead to worms and viruses can exist in OS X. We also shouldn’t underestimate the impact of goodwill towards Apple on exploit development – researchers and attackers tend to focus on hot issues (just look at the recent spate of Microsoft Office exploits). If you piss off the bad guys, or just the generally good social malcontents, eventually they’ll come after you. Anyone still think Oracle is unbreakable?
Thus Apple stands at a crossroads. Should they choose the marketing line they’d better be able to back it up. If you base your reputation on security, and that security is eroded, trust is equally eroded. If they communicate more openly and honestly about security, communications will reinforce intent and capability and even imperfect security will be accepted by the market. If they intend to deceive the market (the one option I don’t think they’ll take) it will place customers at risk and eventually destroy trust.
I’ve trusted Apple. I’d like that trust to continue. But incidents like the wifi flaw and the iPod virus are starting to weaken that relationship. Not because Apple made mistakes and vulnerabilities and flaws made it into products, but because Apple mangled the communications and lead me to believe image was more important than substance and accountability.
When capability, intent, and communications are aligned, trust is reinforced. If any of those degrade or deviate from reality, trust disappears, customers are in danger, and Apple’s business is at risk.
It’s early. Opportunities are still open. The roads are clear. If Apple is open and honest, and harbors good, intentions they’ll succeed. I really REALLY don’t want to see them go the way of other vendors who put PR in charge of security.
Comments