Friday, August 22, 2008

Apple: Check Yourself Before You Wreck Yourself!

Via DVI Labs -

There was a time, not so long ago, where Apple was the plucky upstart. They weren't the second-largest music retailer in the United States. They didn't hold a virtual monopoly on portable music players, and they didn't capture nearly half of the high-end laptop market.

Apple was instead, a geek's company. They were open and friendly, flexible and more than a little quirky. Sure, the fact that large portions of their code are open source is great, and certainly something of which I approve, but they've definitely started playing their cards a bit closer to their chest, at least on security issues.

[...]

The big evil corporation guilty of being notoriously tight-lipped about security vulnerabilities used to be Microsoft. However, Microsoft has become considerably more forthright of late: with their new MAPP initiative (http://www.microsoft.com/presspass/press/2008/aug08/05-08BlackHat08PR.mspx) and their rather wry sense of humor about vulnerabilities, Microsoft has actually become one of the most open major vendors when it comes to details about security flaws. This is nothing but a good thing.

Apple has the whizbang factor sewn up, especially with Joe Consumer: Apple is just cool, while Microsoft is seen as stodgy at best. But one of the fanboys' rallying cries, of "better security", may be falling by the wayside. Apple can't really claim the moral high ground on security issues anymore. At best, they're on par with the rest of the industry, and at worst, they're falling behind.

I'd love to see a MAPP-like initiative from Apple. They could even come up with a marketing-friendly snazzy name for it, like MAPPLE or something. I'd love to see Apple embrace the security community. I'd love to see more details in Apple's security advisories, and I'd love to see less restrictive NDAs on development tools and software licenses.

In other words, I'd love to see an Apple that's not just cool for Joe User, but also for Joe Researcher. Apple's got great inroads in the security community: at Black Hat I saw an equal number of Macs and non-Macs. If Apple wants to keep those sort of inroads, a little more goodwill to the security community would be much appreciated.

---------------------------

Rob is right on....

I think part of the problem is that Apple doesn't have a huge security focused corporate customer base...follow me on this one.

Yes, tons of security researchers use Apple...but lets look at the majority of normal corporate installations of Apple.

Are they running huge customer or financial databases on Apple Servers? - No.

Are they running Enterprise Resource Planning (ERP) suites on Apple? - No.

Are they running their widely popular e-commerce site on Apple? - No.

Are the majority of Point-of-Sale Systems, ATMs, or Battleships running Apple? - No.

So if a vulnerability is found in OS X and Apple keeps tight-lipped about it, who is going to complain? Who is really worried that their whole customer database could be stolen with this unknown Apple vulnerability? Who is worried that critical national infrastructure system could stop working? No one...

This scene changes a bit when you look @ iPhone and Apple products created for Windows (e.g., (Quicktime, Safari, etc).

There is a bit more pressure from the corporate world when vulnerabilities are found in these products.

In short, I think Apple tight-lipped security policy is fueled by its lack of strong corporate / critical installations and the lack of organized cyber-crime interest...which results in reduced pressure to disclosure possible unknown attack vectors.

This could change with time, and it would be in Apple's best interest to take steps now....down that security openness road.

No comments:

Post a Comment