Slashdot Mirror

← Back to Stories (view on slashdot.org)

Call for Apple Security 'Czar'

Posted by ryuzaki0 on from the i-imagine-a-guy-with-a-stogie dept.

conq writes "The second security non-incident to hit the Mac platform in as many weeks has been debunked. People are talking a lot about security on the Mac these days, and the result is that a great deal of FUD is being spread around. BusinessWeek's latest Byte of The Apple column suggests that its time for Apple to appoint a security Czar to get out ahead of the FUD before it spreads much more." From the article: "Creating a CSO position may be viewed by some as an admission of weakness. Still, I say it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding, and get ahead of the curve for any troubles that may be inevitable. That may not be the case, but in matters related to product marketing, it's the public perception, not the reality that really matters. And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft."

10 of 254 comments (clear)

  1. The importance of user confidence by FuzzyDaddy · · Score: 5, Informative
    And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft

    And yet, they still seem to be doing OK.

    --
    It's not wasting time, I'm educating myself.
  2. Wow, talk about an unassailable position by hey! · · Score: 4, Informative

    it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding

    While I agree that every company that sells operating systems should take security seriously, and that having somebody responsible is practically always a prerequisite to being "serious", it's really too bad that people don't seem to absorb a bit more reasoning skill by the time they get out of school.

    Sure, Apple's relatively superior security record "may" erode as they start to gain market share and visibility to the black hats. In fact I'd say there's not much room for it to go other than the direction of erosion. However, we don't have any evidence that that anything like a disaster is about to happen. You can posit that terrible things may happen, and nobody can prove you wrong. You could posit that Steve Jobs is the vanguard of an alien mind-control invasion, and nobody could prove that wrong either. These are the sort of things that can only be proved in an affirmative sense: some researcher finds a vulnerabilityin the Mac OS authentication system, or tentacles suddenly springing from Steve's head.

    Right now I'd say the biggest problem are the Mac user base's overconfidence. While back in the day, Mac users did struggle quite a bit with viruses, which were oh-so-much more interesting to write for the more advanced Mac platform than for DOS, recently, they're getting a bit cocky. They're not as used to the security patch grind as the people running Windows.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  3. Well, then, that would be poetic justice by hey! · · Score: 2, Informative

    After all, the top secret Apple/Novell skunk works project to show MacOS runing on Intel ('486) was code named "Star Trek". They actually had Finder running and had ported QuickDraw GX and QuickTime by the end of 1992; however when Sculley left and Spindler came in, they turned to the PowerPC instead.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    1. Re:Well, then, that would be poetic justice by good+soldier+svejk · · Score: 2, Informative

      Apple, IBM and Motorola formed the AIM alliance (AIMed breaking the INtel deathgrip on the PC architecture) in 1991, two years before Scully left.

      --
      It is cowardly, and a betrayal of whatever it means to be a Jew, to act as a white man

      -James Baldwin
  4. Re:Biased poster by JazzCrazed · · Score: 2, Informative

    Agreed; I think privelege escalation is more than just FUD. It's a vulnerability that needs to be quashed.

  5. Uhh, personally by mcc · · Score: 4, Informative

    Personally I think they'd be better served by concentrating on improving their security, rather than concentrating on improving their security-related PR.

    Analysts and bloggers crowing endlessly about "Apple/Linux/Firefox/whatever don't have better security, they're just smaller" gets attention for a little while, but just let time pass. Eventually people realize they're being cried wolf to. After a few years people will have forgotten the bloggers, but will remember whatever the next major Windows worm incident that gets on the nightly news turns out to be.

    Unfortunately, this only works if you really do have better security. And while this article is just talking about media events like the mac mini challenge as if they're all that matters, Apple has had real security problems of late. Whether or not the mac mini challenge was important for real security there are apparently some os x privilidge escalation exploits floating around, and there was that incredibly embarrassing bug awhile back where Safari could be tricked into launching a shell script as if it were a .jpg. Exploits based on getting the operating system confused about filetype mismatches are really the kind of thing we should not be seeing in 2006, especially since (1) OS X has had security issues of this exact same type before and (2) this is the exact kind of exploit which is the basis for many Windows e-mail worms. Apple needs to take this seriously.

    Taking this seriously does not mean-- as the article suggests-- appointing someone to talk to the press about how great Apple's security is. It means actually fixing the problems, and making some effort to see what other problems might be out there. PR is temporary, and if you do too much of it it can backfire (as people start to assume anything positive they read about your platform is just a result of PR). Real security problems like the filetype bug I mention can impact your reputation for years, no matter how much you try to spin them.

    Speaking of which, there was a new security update on Apple Software Update this week. Anyone know what exactly that covered? Is the jpg/sh MIME or whatever problem fixed yet?

    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
  6. Re:Biased poster by dclydew · · Score: 3, Informative

    Esclation of Privileges is a vulnerability, the last time I checked.

    --
    Get a life, not a lifestyle. - Hikem Bey
  7. Re:U of Wisconsin? by ryanr · · Score: 2, Informative

    Turns out he didn't get permission from the university to run a hacking challenge, and had to pull it. Whoops.

  8. Re:non-incident? by 99BottlesOfBeerInMyF · · Score: 2, Informative

    Could someone please enlighten me as to why it is possible for a least privileged user account to gain root without the consent of the owner to be classed as a "non-incident"?

    It isn't a non-incident, but neither is it a remote exploit. Apple fixes 5-10 local escalations a month in their security updates, many of which are found by outside security people. Thus exposing one more is not exactly news. This is the same for Linux or most any other OS not designed to be ultra-secure. (Except Windows which has innumerable local escalations they haven't bothered to fix and which is sort of moot point since everyone runs as admin all the time.)

    The reason everyone took notice in this case is because the articles written about the local escalation portrayed it as a remote exploit, not a local escalation. Further, in addition to being a local escalation it was a local escalation on a box with several measures taken specifically to reduce security (enabling the root account and installing all the CLI tools in Fink).

    It's like news articles running "Danger babies exploding killing those nearby!" People sit up and take notice, until it comes out that the articles failed to mention the babies had been fed on a diet of inert explosives and put in a microwave. Its still news, but it is no longer an imminent danger to the average person. Thus a lot of people were upset that they were misled.

    Just for your own personal info and so you know the score... someone out there, likely a number of them can remotely hack your OS X or Linux box. A fair number of people out there, given access to your machine via a trojan, shell account, or some other mechanism can find a local escalation and root your box. If you are running a system and think it likely one of the few expert security people or "hackers" will be attacking your machine to get your data you should not be storing that data on OS X or most Linux distros. The same goes if you plan on running any random executable given to you or if your are giving shell accounts to strangers. If you plan to do either you should be running OpenBSD with jails, SELinux, or some other ultra-secure OS with VMs to segregate users and applications.

  9. Re:What is it with the 'Czar' title? by Petrushka · · Score: 2, Informative

    Calling the Christian god a lord is a political move made by the church

    Both parts of this assertion are false. It was a theological move made by the Jewish elders who translated the Talmud into Greek, ca. 3rd century BCE: in order to avoid using the name Yahweh, they used the Greek word kyrios meaning "head of the family/household". Everyone since then has been copying them: it's all pre-Christian. The reason kyrios got translated into English as "lord" was because Anglo-Saxon hlafweard also meant "head of the household", and like kyrios was not primarily a political term at the time.

    If you want to tear someone else's arguments apart on the grounds that they're ignorant, try to make sure you're not. It's pretty clear to me which of the two posts above was not motivated by close-minded hatred.