Posted on 08/05/2008 8:38:22 PM PDT by Swordmaker
In a move that could backfire, according to one security expert, Apple pulled out of a prominent hackers' convention taking place this week in Las Vegas.
Apple abruptly canceled what would have been its first appearance at Black Hat, an annual event in Las Vegas that features presentations from the world's most preeminent security researchers – a.k.a. hackers – according to Computerworld. Speakers typically highlight security shortcomings in a number of different technologies, including operating systems, e-mail and the Internet itself. Taking one's lumps at Black Hat is a right of passage in a technology's security evolution, as companies like Microsoft and networking equipment maker Cisco will attest.
Thanks to this move and a few other gestures of ill will toward its customers (such as dropping the price of the iPhone last year shortly after many had purchased one), says Herbert "Hugh" Thompson, chief security strategist at New York software security firm People Security, "Apple's shield of being a charmed company could be lifting." Hackers could take offense at the move and start turning their attention to the security flaws in the company's computers, software and cell phones, Thompson says.
As leaders in the software and networking markets, respectively, Microsoft and Cisco attract attention because hackers who develop attacks against these companies' products affect the most people. "Risk, in an operating systems in particular, is a function of how vulnerable you are and how much people want to attack you," Thompson says. Apple's products, in particular its QuickTime Internet media player, are not more secure than these high profile targets, but the public's sentiment has always been in their favor. "The damage is going to come now," he adds, "as people speculate as to why (they pulled out of Black Hat) and start disparaging them."
Black Hat Director Jeff Moss told Computerworld, that Apple's marketing department "got wind of" the company's planned appearance. "Nobody at Apple is ever allowed to speak publicly about anything without marketing approval," he said. The company's presentation was supposed to be "them talking about security engineering and how they take security seriously."
Apple had set unusual conditions for speaking at the event: They wouldn't have to answer questions from the audience. Apple's canceled session was titled "Meet the Apple Security Experts," according to CRN magazine, which reported Moss as saying, "We had a lot of people from government agencies saying they'd love to know more about the security engineers at Apple, because it's such an opaque company." It seems the company will remain opaque, at least for now.
Apple's already starting to look a bit bruised. Petko Petkov, founder of security research firm GNUCITIZEN, said in the description on the Black Hat Web site of his presentation today that he planned to expose a flaw in Apple QuickTime running on the Windows operating system that Apple has yet to repair (a situation known as a "zero-day" bug), which means that hackers could immediate start attacking it. "If Apple responds before the event," he wrote, "I will drop the details of a QuickTime 0day for Windows Vista and XP." ScientificAmerican.com was unable to reach anyone who knew whether Petkov had gone through with his plans.
This wouldn’t be the first time that hackers have tried to teach Apple the lesson that it should be more open with the security flaws in its products. Two hackers early last year created the "Month of Apple Bugs" project that made public a stream of security flaws in Apple's products, including the Mac OS X operating system and iChat instant messaging software.
Apple's strategy of tightly controlling its iPhone (it runs only on the AT&T wireless network) led to New Jersey teen George Hotz posting on YouTube a technique for modifying the iPhone so it can run over other wireless networks as well. This technique was not widely adopted, but it showed what happens when someone with technical skills sets their mind to picking apart Apple's technology.
Apple's absence from Black Hat had a bit of a ripple effect, as security consultant Charles Edge was forced last month, upon finding out of Apple's plans to cancel their presentation, to withdraw a session he had proposed to Black Hat organizers about flaws in Apple's FileVault encryption software, citing confidentiality agreements he had signed with the company, according to the Washington Post.
The hacker community's relentless drive to break the technology in which companies invest millions of dollars is at times sated by a good will gesture from those companies. Microsoft learned this lesson after years of battling with security researchers over flaws in its products. Since 2003 the company has held biannual BlueHat security conferences, during which Microsoft invites prominent security researchers to its offices to discuss security flaws in Microsoft products.
Thompson predicts that, if Apple doesn't learn from its mistakes the way Microsoft did, the company will start "losing that grace that customers had given them for a really long time because they have cool products. The haze is starting to lift and people are starting to asking more questions."
Why did you even post the original article without finding out if it was a credible article?
Exploits or vulnerabilitys, you’re quibbling with semantics here. Even with vulnerabilities, you’d think Apple would scrap OSX Leopard and go back to the drawing board until there are no vulnerabilities, and think twice before releasing basically a beta version.
How would you want me to test the credibility of an article published by Scientific American, a scientific journal with a venerable reputation???
Did you fail to see my critique of the article in reply #1? Let me recap:
"I think this entire article is FUD."
Words have meaning... and therefore I am NOT quibbling with semantics. An exploit (make full use of and derive benefits from) is a vulnerability (a weakness in a computer system which may allow an attacker to violate the integrity of that system) that has been actually used to cause malicious damage or gain access to data or computer usage without permission. There are also varying degrees of risk and danger associated with any vulnerability. Triage is necessary. A vulnerability may never be exploitable.
OS X may have vulnerabilities but most often they are listed as "may lead to an unexpected application termination or arbitrary code execution." Arbitrary code is NOT code that has been placed on the computer by the maleware author... it is code that already exists, placed there by Apple. Arbitrary means just that... "a random selection". The vulnerability may cause the execution pointer to be transferred to a random location in memory and have whatever is located there execute... if it is a proper entry point to the code. Unless the hacker cracking into the vulnerability knows the exact current location of the code he wants to execute (OS X randomizes code loaded into RAM) it is highly unlikely that he can do any damage.
Windows Vista has plenty of "vulnerabilities" as does every other application or OS. Should they also be held until "there are no vulnerabilities." Windows XP has approximately 16,000 known flaws and vulnerabilities... but most of these are innocuous. Had Microsoft adhered to your standard, most people would still be using Windows 98 (with over 24,000 known, documented flaws).
Many vulnerabilities cannot be found in the laboratory... or even in the most diligent Beta testing. Discovery of those vulnerabilities can only come about by usage in the field by many people using many differing applications.
That’s so cool. I have Fusion and XP but haven’t installed them yet. It’s that very ability, multiple OS, that made the decision to buy a new Intel Mac so much easier. I do graphics work, mostly pre-press, and there’s a lot of bad Publisher stuff that I get. My job is to get it out of whatever program it was created in and get it into the appropriate Adobe program and prepare it for press. The perfect scenario for a dual system.
I’m impressed that you’re using so many systems. What Mac are you running them all on?
At the moment I'm using my 2.16GHz/2GB/120GB MacBook, with the WinXP VM doing some Win-only tasks while I FReep in OS-X-land. I had my Vista VM running earlier to chase a bug one of my users reported, and cranked up Fedora to try something out earlier tonight also.
My Mac Mini has all the above, plus NetBSD (so I can model and prototype my network changes before taking them live), as well as Win2K, Win98, and MSDOS.
I don't run them all at once, of course -- I could, in theory, but there's no screaming reason to, since I typically only bring them up to do specific tasks. And frankly the Vista VM really wants at least 1GB of RAM all by itself, so with only 2GB total RAM, I don't generally run more than 2 VMs at a time over OS-X.
I suppose if I had a bigger machine (MacPro, whatever) with tons of RAM, I could run 'em all at once, but I live off-grid (PV power only) and so small is beautiful.
Very cool dayglored. I bought a refurb iMac 2.8 GHz after almost 10 years on s PowerMac G4. An upgraded processor allowed me to keep going longer than normally possible in a graphics environment. I freelance on a client system that runs XP. It’s cool as long as I don’t add too much stuff to it. I have to “maintain” a small network (3 units) and keep backups (they would have run without any). Maintain means keeping anti-virus software up-to-date and occasional troubleshooting (mostly due to MS updates and web use).
It’s good to know that you can do so much off that laptop. I was worried that I may overload this thing. I figure I’ll fill the HD before I overload the processors.
Yep.
In fact, I suggest you do what I did -- rather than keep all the VM images on the laptop HD, put the ones you don't use as often on an external FireWire drive. Plenty fast enough for normal VM use. USB2 is not too bad performance-wise, but since you've got FW on the Macs may as well use it.
I only keep the WinXP and Vista VMs on the MacBook HD. The rest are external. Having them external also means I can run them on other Macs (like the Mini). And it's only a couple of minutes to copy the VM image from ext to internal, so if I want to travel with (say) the Fedora image, I just copy it to the laptop HD, and go!
I beat the piss out of my machines, and have yet to overload the CPUs in this laptop. It's really quite impressive.
Excellent. I hadn’t thought to run XP off an external. That may be just the ticket. Thanks dayglored.
What is FUD?
I’m certain Microsoft has multiple exploits and like you mentioned thousands of vulnerabilities. Yes I do find it irresponsible for this to occur for even Vista was in beta for over a year. Totally unacceptable.
I was just pointing out like the half baked article did that Apple OSX is not immune to exploits or vulnerabilities as much as Mac users want to pretend.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.