Posted on 08/05/2008 8:38:22 PM PDT by Swordmaker
In a move that could backfire, according to one security expert, Apple pulled out of a prominent hackers' convention taking place this week in Las Vegas.
Apple abruptly canceled what would have been its first appearance at Black Hat, an annual event in Las Vegas that features presentations from the world's most preeminent security researchers a.k.a. hackers according to Computerworld. Speakers typically highlight security shortcomings in a number of different technologies, including operating systems, e-mail and the Internet itself. Taking one's lumps at Black Hat is a right of passage in a technology's security evolution, as companies like Microsoft and networking equipment maker Cisco will attest.
Thanks to this move and a few other gestures of ill will toward its customers (such as dropping the price of the iPhone last year shortly after many had purchased one), says Herbert "Hugh" Thompson, chief security strategist at New York software security firm People Security, "Apple's shield of being a charmed company could be lifting." Hackers could take offense at the move and start turning their attention to the security flaws in the company's computers, software and cell phones, Thompson says.
As leaders in the software and networking markets, respectively, Microsoft and Cisco attract attention because hackers who develop attacks against these companies' products affect the most people. "Risk, in an operating systems in particular, is a function of how vulnerable you are and how much people want to attack you," Thompson says. Apple's products, in particular its QuickTime Internet media player, are not more secure than these high profile targets, but the public's sentiment has always been in their favor. "The damage is going to come now," he adds, "as people speculate as to why (they pulled out of Black Hat) and start disparaging them."
Black Hat Director Jeff Moss told Computerworld, that Apple's marketing department "got wind of" the company's planned appearance. "Nobody at Apple is ever allowed to speak publicly about anything without marketing approval," he said. The company's presentation was supposed to be "them talking about security engineering and how they take security seriously."
Apple had set unusual conditions for speaking at the event: They wouldn't have to answer questions from the audience. Apple's canceled session was titled "Meet the Apple Security Experts," according to CRN magazine, which reported Moss as saying, "We had a lot of people from government agencies saying they'd love to know more about the security engineers at Apple, because it's such an opaque company." It seems the company will remain opaque, at least for now.
Apple's already starting to look a bit bruised. Petko Petkov, founder of security research firm GNUCITIZEN, said in the description on the Black Hat Web site of his presentation today that he planned to expose a flaw in Apple QuickTime running on the Windows operating system that Apple has yet to repair (a situation known as a "zero-day" bug), which means that hackers could immediate start attacking it. "If Apple responds before the event," he wrote, "I will drop the details of a QuickTime 0day for Windows Vista and XP." ScientificAmerican.com was unable to reach anyone who knew whether Petkov had gone through with his plans.
This wouldnt be the first time that hackers have tried to teach Apple the lesson that it should be more open with the security flaws in its products. Two hackers early last year created the "Month of Apple Bugs" project that made public a stream of security flaws in Apple's products, including the Mac OS X operating system and iChat instant messaging software.
Apple's strategy of tightly controlling its iPhone (it runs only on the AT&T wireless network) led to New Jersey teen George Hotz posting on YouTube a technique for modifying the iPhone so it can run over other wireless networks as well. This technique was not widely adopted, but it showed what happens when someone with technical skills sets their mind to picking apart Apple's technology.
Apple's absence from Black Hat had a bit of a ripple effect, as security consultant Charles Edge was forced last month, upon finding out of Apple's plans to cancel their presentation, to withdraw a session he had proposed to Black Hat organizers about flaws in Apple's FileVault encryption software, citing confidentiality agreements he had signed with the company, according to the Washington Post.
The hacker community's relentless drive to break the technology in which companies invest millions of dollars is at times sated by a good will gesture from those companies. Microsoft learned this lesson after years of battling with security researchers over flaws in its products. Since 2003 the company has held biannual BlueHat security conferences, during which Microsoft invites prominent security researchers to its offices to discuss security flaws in Microsoft products.
Thompson predicts that, if Apple doesn't learn from its mistakes the way Microsoft did, the company will start "losing that grace that customers had given them for a really long time because they have cool products. The haze is starting to lift and people are starting to asking more questions."
"Apple's absence from Black Hat had a bit of a ripple effect, as security consultant Charles Edge was forced last month, upon finding out of Apple's plans to cancel their presentation, to withdraw a session he had proposed to Black Hat organizers about flaws in Apple's FileVault encryption software, citing confidentiality agreements he had signed with the company, according to the Washington Post."
Any "security consultant" who had already signed "confidentiality agreements" would have known that discussing unpatched "flaws" in an important security aspect of OSX would not have Apple's blessings. What I infer happened is that Edge shopped his discovered flaws to Apple and they hired him to help close them and required him to sign the NDA which, consequently resulted in his canceling is scheduled presentation at Black Hat.
Somehow this has been confabulated in this article into APPLE, INC., being scheduled to discuss their commitment to security and APPLE pulling out of an agreement to speak. That just doesn't comport to Apple's history or corporate policies. It would have been a major coup to have Apple officially address the Black Hat convention. Since they were not advertising this presentation out the kazoo, I don't think it was ever scheduled.
I think this entire article is FUD.
I don't think that is what happened.
Thanks to Leonard210 for the heads up.
If you want on or off the Mac Ping List, Freepmail me.
FUD? FUD? Who would do that to Apple???
Dija catch this gem?
“Thanks to this move and a few other gestures of ill will toward its customers (such as dropping the price of the iPhone...”
Dropping the price of a very popular product transmogrifies into a gesture of ill will towards the customers!
Apple is running UNIX. Gee, like that’s ever been hacked?
...says Herbert "Hugh" Thompson, chief security strategist at New York software security firm People Security, "Apple's shield of being a charmed company could be lifting."...and who are ya gonna believe, some software patch salesman, or...
They are already ticked off.
Last year, a couple of these Black Hatters in a video demonstrated a claimed Zero Day infiltration of an Apple MacBook Pro at the convention that gained user level access through a flaw in the MacBook's WIFI.
However, the demonstrated exploit turned out to be done by using non-Apple hardware (third party USB WIFI card) and software (third party WIFI drivers) that is NOT installed in a MacBook Pro. The demonstrated flaws were in the third party stuff that would not normally be used on a Mac because the functionality is already built in. . . but they touted it as a Mac vulnerability. It took months to clear that FUD party up and get them to admit it was NOT a flaw in OS X as shipped by Apple.
The vulnerability was much more common on Windows computers that DID use the third party stuff... but the demonstrators said they chose to use a MacBook Pro because "they wanted to stick a lit cigarette into the eyes of smug Mac users"so they cheated to damage Apple's reputation.
Yep. UNIX has undergone a lifetime of testing by hackers... and patching by the open source community. Most of the vulnerabilities have been found and fixed long ago. There are still things that Apple has added that have vulnerabilities, but since they run on top of UNIX, they are protected from doing too much damage through those vulnerabilities.
A lot of Apple's OS X applications are also open source and the OS community also searches through them for potential vulnerabilities.
For all the supposed smugness of Mac users, it seems to me that Mac detractors are the truly self-righteous.
Exactly! The hackers so far showed relatively no interest in Apple due to their miniscule marketshare. And the fact they have already exploited OSX Leopard shows it isn’t some superior OS that is flawless like Apple wants people to believe.
Sounds like the standard liberal tactic being used from anyone from Hilary Clinton; Nancy Pelosi; Barack Obama to people like Jesse Jackson and now Apple. They don't want to answer questions from an audience probably smarter than most of their engineers at Apple, but they snidely want to introduce the hackers to their Security Experts. I'm syre they see right through that BS and Apple probably pissed off the wrong people with this one.
Miniscule Market Share = 33,000,000 Mac OS X users.
And the fact they have already exploited OSX Leopard shows it isnt some superior OS that is flawless like Apple wants people to believe.
Please provide us poor deluded Mac users the real, in the wild exploits, not mere vulnerabilities, that are plaguing Mac users today. Name them. Proof-of-concept viruses and trojans that exist only in a Security Company lab are not in the wild.
Spot The Fed!
I can find no other primary source that says that Apple was intending to officially attend the Black Hat conference. To criticize Apple for supposed restrictions on a undocumented appearance that was not touted by the promoters in all of their promotion materials is absurd. I think the supposed appearance is bogus.
As I mentioned, this "cancellation" was reported last week and at that time involved only Edge. Not Apple.
Participants in the Black Hat conference have been known to lie about Apple before. Since Apple's non-participation fits much more the history of the company and its known reticence about talking about anything security related, I strongly doubt that Apple's security experts would have scheduled themselves to be featured at a conference with the animosity that it has shown in the past toward anything Apple. Blue, it makes no sense.
Sounds like blackmail to me. So which nation is going to pursue him for cyberterrorism?
So I say to the FUD-spewing Win-trolls: WHERE ARE THE MAC BOTNETS???
Right on dayglored. Hackers hack ‘cause they love to hack. How stupid do they think we are? No one has tried to hack a Mac ‘cause there aren’t enough of them yet? What tripe.
“One of these days Alice. Bang! Zoom! Just as soon as there are enough of you out there, you’re goin’ to the moon!” (For the kiddies, it’s a Jackie Gleason reference. He used to say, ‘You’re goin’ to the moon Alice...’ Gleason. Jackie Gleason. Oh, never mind!)
Either I'm missing something, or the author of this article is.
Un-Scientific American article.
Just more crapola from a rag which evangelizes Global Warming.
I use Win, Mac, Linux, and NetBSD computers every day. I'm in charge of System Administration at a software company.
VMware Fusion on the Mac -- I run Windows, Linux, NetBSD, even MS-DOS on my MacBook. Beats the crap outta everything else out there.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.