Posted on 06/05/2015 6:05:07 PM PDT by for-q-clinton
NEW YORK (CNNMoney) —So much for the argument "Apple computers are safer and bug-free."
It's not true. We're accustomed to annoying glitches in PCs. But the past few years have shown that Macs, iPads and iPhones have them too.
So far in 2015, five major flaws have affected Apple products.
Just this week, we encountered a nasty bug that lets hackers bury computer viruses so deep inside Macs, you'll never find it. A week earlier, a flaw appeared that lets a text message crash an iPhone.
These are significant issues, and neither has been fixed yet.
Faulty code is found in every operating system, app and software program. But Apple has an outdated strategy for fixing them.
Remember when Apple would advertise it was safer than Windows? No more. Apple is now where Microsoft was a decade ago.
The problem
Computer engineers, hackers and people familiar with the company's practices explained that Apple is doing five things wrong in its approach to security.
1) Apple's security updates are irregular and infrequent. Last year, it took Apple 100 days to fix a problem that some folks at Google found. (And when Apple finally did patch the hole, its supposed fix was weak and easily bypassed by hackers.)
In 2012, Oracle quickly moved to patch its Java program that was susceptible to a terrible, information-stealing malware called Flashback. But Apple waited two whole months to issue a fix -- even though an estimated 650,000 Macs were infected.
"They don't appear to have a regular patch schedule like Microsoft, nor do they appear to patch continuously like Google does with Chrome," said Tod Beardsley, a research manager at cybersecurity firm Rapid7.. "Sometimes, patches are slow to arrive, but then again, sometimes patches are difficult to develop."
Sure, issuing quick fixes sometimes backfires. In this sense, Apple treats bugs like it does products. It's usually a little late to the game, but it plans to do the job right.
But waiting too long can have devastating effects, leaving Apple customers vulnerable to hacks and theft of personal information.
2) Secrecy. Apple keeps quiet about its security holes.
For example, Apple didn't admit the latest Mac bug is even real (because that would entice hackers to exploit it). And while it acknowledges the text message flaw and offers advice for how to fix it, Apple hasn't explained the bug's root cause.
"Apple works in mysterious ways. It has a reputation for being tight-lipped when it comes to confirming the existence of security issues," Beardsley said.
Transparency would keep customers alert and help the large community of Apple developers suggest fixes. In this sense, secrecy is harmful.
3) Updates are only for the latest software. If you're still using old versions of the Mac operating system, Apple has forsaken you.
For example, Apple patched a serious vulnerability in April -- but only for its latest version, Yosemite. That means it left behind 47% of its users, those who use the operating systems Mavericks, Mountain Lion, Lion, and Snow Leopard, according to industry figures gathered by Net Market Share.
Apple's defense? Customers can upgrade to the latest version for free. That's true, but not entirely fair. Some older laptops can't handle the latest software.
4) Unwillingness to pay. Apple is one of the only major tech companies that doesn't reward researchers -- with money -- for finding potentially disastrous computer bugs.
Although criminals and spies are willing to pay $150,000 for an iPhone bug that hasn't been made public, Apple pays nothing. Zip. Zilch.
5) No admission of guilt. This is what frustrates security folks the most. Apple doesn't tend to acknowledge when it's wrong. When hackers broke into celebrity iCloud accounts and exposed nude photos last year, Apple CEO Tim Cook said the company would beef up security measures. But he blamed users, saying the problem was "not really an engineering thing."
But security features that would have prevented the celebrity iCloud episode -- like requiring a text message as a second passcode -- are precisely an engineering problem. To Apple's credit, it eventually added that crucial feature to iCloud.
Dealing with Apple isn't easy. Security researcher Xeno Kovah said that even in the most serious cases, when he had to report a critical software flaw to the Carnegie Mellon's Computer Emergency Readiness Team, Apple was still not as "responsive or accurate" as other companies.
"Apple has a bug fixing problem," he said.
It's so bad that 684 independent Apple developers launched a formal campaign in 2012 and wrote a letter begging Apple to improve its bug-reporting system. They say little has changed.
Apple declined to comment for this story.
How Microsoft did it
Some of the best Apple hackers tell CNNMoney that Apple's bug-reporting system needs an overhaul, similar to the one Microsoft went through years ago.
Microsoft had to go through a long and painful awakening. Think back 15 years ago, when Windows products were the most used -- and hated. They were notoriously buggy. But then came a corporate turnaround.
In 2003, Microsoft introduced Patch Tuesday. Once a month, users would get a flood of updates to keep them safe. In 2005, Microsoft started hosting Blue Hat, an invitation-only security conference to meet face-to-face with curious (and often aggressive) researchers. Apple doesn't host a forum like that.
One of Microsoft's most successful strategies in improving security has been its "bug bounty" program, which was implemented in 2013. Microsoft stopped fighting the legion of hackers -- and turned them into a ragtag army of Microsoft guardians.
"Microsoft had worm after worm before meaningful security changes were made," said Katie Moussouris, Microsoft's former chief security strategist who implemented the bug bounty program. "Hopefully, Apple will adapt quickly."
Why the added pressure on Apple all of a sudden? The company is "a victim of its own success," Moussouris explained. Apple products are more popular than ever. More fingers on keyboards means more code is being explored. Inevitably, bugs will be found.
The good news: Apple is listening. And changes are coming.
Apple is aware of these issues, and the company is trying to improve how it communicates with researchers, according to a person familiar with the company's plans. Its main challenge now is dealing with its rapid growth. Apple gets inundated with reports about possible flaws, and its security team wants to do a better job of paying closer attention to the big security issues, separating the real bugs from the fake ones.
Sorry, but you're mistaken again.
I'm not protecting anybody. I think EVERY one of the big tech companies has far to go to become properly responsive and responsible about vulnerabilities in their products. I'm a network system administrator, I deal with their products every day, and I have to address the problems their bugs create, whether it's problems the users report, or security vulnerabilities.
The reason the article is largely worthless is that it presents nothing useful, new, or interesting. It's just a rehash of criticisms we've all read numerous times in recent weeks or months. Its only objective is to gather page hits by slamming Apple in a headline.
It's click-bait, period. No new information, insights, perspectives, anything. Just trolling. Click-bait.
If you want to take part in a discussion of the topics mentioned in the article, there are probably a score or two of tech forums where people are still discovering these bugs and talking about them. We here at FreeRepublic have been discussing them since they first occurred, and speaking for myself, I don't feel a screaming need or desire to talk them into the ground any further.
For-q, if he's true to form, will probably dredge up a few more slam pieces of click-bait before even he tires of beating this dead horse, but nobody on FR will care.
Maybe someone could dredge up some Microsoft slam click-bait.... but the problem there is, it doesn't draw the same interest. "Apple" in a headline draws page hits infinitely better than "Microsoft". Oh well.
Ta-ta, if you can't understand where I'm coming from after the above, I'm afraid there's no more I care to offer. Hope you have a great evening.
LOL, oh, I understand where you're coming from. Its not hard. Perhaps you could run a list of ongoing articles about this subject that you've vetted for substantiveness. Then you wouldn't have to post over and over again to inform everyone about his disinterested you are in whether they realize you don't approve of the technical level of any particular article.
LOL!
To what degree did the switch from Objective C to Swift also have with the decline of quality?
Nah, those articles are all in the thread history here from the past weeks and months. Swordmaker pinged the Apple/Mac list on most of them, all the useful ones anyway. No need for me to duplicate that effort. But thanks for the thought.
I somewhat had an inkling that this would happen—the day System 10 moved to AMD64, it was going to happen, sooner rather than later.
If Apple had decided to use System 9 as the base for System 10, would we end up radically different from where we are today, in terms of features, User Experience, &c?
They could have improved the memory manager to a greater extent; since Freescale 68k-based Macs were already obsolete by 2001, there was very little need to maintain compatibility with it, for example.
They could make a break from the past—but it didn’t have to be as dramatic as it turned out to be.
In any case, the UNIX integration, and the subsequent cut-over to AMD64 were big mistakes in terms of security.
Actually, I do. The celebrity pictures were being offered for sale for three weeks on the site where they were being offered before the "iBrute" exploit was released. It got no traction. Analysis of the photos showed that many, in fact most, of the celebrity pictures were never on iCloud and had metadata that showed they came from Windows computers, Android phones, regular digital cameras (and some even digitized from film cameras images), movie clips, and other sources, which would not have been uploaded to iCloud from an Apple device. We now know exactly from what source the celebrity photos originated and it was, for the most part, NOT FROM iCLOUD, but from an underground organization of celebrity picture collectors who used multiple means of collecting the photos and traded them among their group. To be a member of the group, they had to agree to only sell and trade photos within their group. The seller was violating their membership agreement. It was only when the pervert started claiming he got them off of iCloud that he got attention and made news and was actually got traction to sell the images. These are FACTS uncovered in the weeks after the "fappening". . . and are the results of the investigation into release of the photos. That is why Apple was not sued by the celebrities.
All of this was covered on Freerepublic at the time in far more detail with links to the evidence. I am not going to repeat it here.
iBrute was a joke. It accessed a dictionary with the only 500 most common passwords used by people. However, Apple requires users to use at least 8 upper and lower case characters, a number, and a keyboard symbol when signing up for iCloud. When searching for words that match that criteria on that "dictionary of 500 most common passwords" only TWO met those criteria. iBrute would not have worked on iCloud except on those two words. The authors of iBrute got it to work by putting in his password into the dictionary. . . as did those who tested it. Again, this was covered on Freerepublic in detail when it was current.
As for Ars Technica's claim of being able to get into the teenage girls iOS iCloud back up . . . they used a forensic software that says it works "providing that their system logon passwords are known" BZZZZT. That means they had to have physical possession of the users COMPUTER to access their iTunes account. Really? That is not much of a hack. I recall covering that too when it was brought out on Freerepublic. This is all FUD.
No it was not! It is on the sign up page in a quite clear option. It was NOT HIDDEN. WOW! You guys will lie through your teeth, won't you?
WOW! You really don't know what you are talking about, do you? UNIX™ is demonstrably one of the most secure operating systems in the world and putting OS X on top of it was not a mistake. Apple OS X has not had a single viable computer virus invade OS X in 17 years since OS X has been in the wild (OS X server was released in 1998 into the wild). MacOS 9 had 139 known, truly viable computer virus when it was discontinued, plus many variants, and additional Trojan horses programs. OS X has only 57 known trojan horses. That is secure and safe. The latest vulnerability is in the EFI boot loader which comes into play before UNIX even boots. . . so it cannot even truthfully said to be part of UNIX and would effect every OS regardless of security tightness.
You got dayglored figured out.
On the contrary.
The vast majority of complaints and bad press about Windows came from Windows users, not Apple fans. Remember:
So there is no "payback".
Just the same old crap, regardless of who is throwing it at whom.
LOL. You guys don't have a clue. ;-)
You wanna clue about dayglored, you can read this: http://www.freerepublic.com/~dayglored#Computer but I don't think you'll bother. It might dispel the preconceived notions you hold so dear.
Happy trolling, fellas; I'm off for the rest of the day, got work to do. Catch ya later!
And it came from the 5% of ibots who were making up fud about windows. But Apple does need to get into the 21st century in regards to patching.
Well, I'd sure like to see them get faster about acknowledging threats and releasing patches.
But related to that, I notice two things about the way Microsoft is handling their patches in recent months and (they say) into the future:
And Microsoft is adopting that model -- not because they're "copying" Apple, but because that's the model they need to use. The old "Patch Tuesday" model with lots of notice and description was very helpful for enterprise admins (of which I'm one) but it became obsolete when it became obvious how helpful it was for the hackers generating Zero Day exploits.
I predict Microsoft will become even more secretive in the coming years. They have to, if they've really got Win10 on a billion computers and devices. They can't afford to tip their hand like they've been doing.
Meanwhile, I also predict that Apple will get more on the stick about acknowledging and addressing vulnerabilities. They have to.
Oh, so all of those over now six million malware exploits against Windows were merely FUD made up by Apple users? That alone is the biggest load of crap FUD I've ever read any where, for-q.
Apple users are STILL waiting for that serious incursion you guys claim is going to happen "any day now!" It's only been 14 years since OS X was released as a consumer operating system.and you clowns have been claiming "any day now." When is it going to happen?
Good heavens...One would think someone is attacking their child instead of disagreeing on a product.
Some people like one and some another.
All together now: "Any day now!" :-)
Ummmmmm, tomorrow? No, wait, that's Sunday...
Day after tomorrow. Fer shure. My brother-in-law knows all about computers and that's what he said.
LOL.
Using your logic malware doesn’t exist because it has to self replicate and requires no user interaction. I’d say windows vista, 7 8 and 8.1 all merry your excuses that qualify for no issues with noting.
In fact I remember the excuses for malware not counting on Macs was that it only works on unmatched systems, user was required to click on link, and or machine had to be in internet. So worth those excuses out there I’d say windows had been pretty solid for the last 10 years.
Actually patch Tuesday is going away as windows becomes a service and they don’t want to wait to release patches as 0 day exploits are more common. They are getting faster and more efficient. Exactly the opposite of Apple.
Ah, and it would be so nice if folks could stick to simply "agreeing to disagree" about these things.
But if you have any knowledge of the history of computing, you know these quasi-religious verbal battles go back to the 1970's at least.
LOL. Best of luck!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.