Securosis is officially declaring February as the “Month of No Bugs”. Of course, this is only a joke, but he makes several good points.
Clearly there are differences between MoBB and those that followed. I can't say that I fully agree with the way that some of these "months" are being conducted, but I can say that I don't agree with how Apple deals with security issues overall.
Full Disclosure is a tool, nothing more. Like guns, atomic bombs and kitchen knifes...FD can be dangerous...but it can also be very helpful. Therefore, at this time, FD should not be removed from the table when dealing with vendors on security issues. But then again, this is a field in which I don't have much experience directly.
If I were running MoAB, would have I have told Apple about the issues that directly affected them before release and perhaps not created Metasploit modules for all the exploits?
In a perfect world, sure. But in a perfect world, Apple would turn around and inform their customers of the current situation and the danger in which their users now live. There are lessons to be learned form the other vendors in the market. This hasn't happened and IMHO that isn't a very smart way of handling security issues.
If we were all in the military, Apple would be charged with "actions unbecoming of a OS vendor with good security PR".
In a way, it seems that Apple still treats security researchers as the bad guys. Microsoft used to have this view as well, but then MS opened to the idea of a very evil blackhat underground. The people in this underground find issues, exploit them to make money and never tell a soul. Huge amounts of money. Apple does not face this threat...at least not yet anyways. But one day, the Apple will turn.
A vulnerability is found and Apple pulls out the lawyers and suggest that everyone shut up about it...or lawsuits will be filled. Regardless of how you feel about the Blackhat wifi issue, it is now known that wifi issues did exist in Apple Airport drivers...and to say that the research of Johnny and David had nothing to do with that...is just funny in my view.
Even if you believe that the whole Blackhat thing was fake...you should give Johnny and David a hand for pushing Apple into "conducting an internal audit of the wifi drivers." Therefore make you less vulnerable in the end.
Even if is a vulnerability is found and begins to be exploited, they release a semi-private fix to those targeted. How is this being pro-active toward security? Seriously. This proves that Apple has no fear of "Less-Than-Zero days". Which seems like a bad idea, yet again.
While it is true that public exploits against unpatched software is bad, these Mac fans should also think about the other factors that are bad for security. Such as the false idea that Mac users don't need to know anything about security to be safe. That attitude itself is just as dangerous. Couple that with the official silence from Apple and the picture starts to come into focus.
Apple cares more about their bottomline and their image...than the security of their customers. But that really isn't shocking....
Apple isn't here to make your iExperience hip or cool, they are here to make money. Nothing more. But that is just my 2 cents...
No comments:
Post a Comment