Slashdot Mirror
Call for Apple Security 'Czar'
conq writes "The second security non-incident to hit the Mac platform in as many weeks has been debunked. People are talking a lot about security on the Mac these days, and the result is that a great deal of FUD is being spread around. BusinessWeek's latest Byte of The Apple column suggests that its time for Apple to appoint a security Czar to get out ahead of the FUD before it spreads much more." From the article: "Creating a CSO position may be viewed by some as an admission of weakness. Still, I say it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding, and get ahead of the curve for any troubles that may be inevitable. That may not be the case, but in matters related to product marketing, it's the public perception, not the reality that really matters. And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft."
To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar
Huh? Most of the "public" I know doesn't have any lack of confidence in OS X and hasn't even heard all the latest "scares" of OS X's security. In fact, I'd venture to guess that most of the "public" knows nothing about OS X being more secure than Windows (as it isn't really an advertised fact) and think that viruses/trojans/worms, etc, are just a part of computing.
Remember that to the average luser, anything made by Microsoft is top-notch. If it weren't, they wouldn't be in the position they're in market-wise. It's all those damn "hackers" out there that cause the problems, not Microsoft.
This guy's the limit!
It's not FUD if the vulnerabilities are real. The fact that not many machines were affected is not relevant. With only 3% of the OS market - I wouldn't expect any Apple outbreak to bring down the house. The point is - Mac's are not immune and the sooner people realize it and cast off their false sense of security the better.
hi
it's the public perception, not the reality that really matters.
OK, then everybody else can stick to the illusion of security with Windows despite reality, and I'll be happy in the reality of my secure OS X machines.
OS X is not 100% secure, but out of the box, its about as secure as any system can be that has a network adaptor in it. Try this on your average box:
netstat -an |grep -i listen
tcp4 0 0 127.0.0.1.631 NOT JUNK LISTEN
tcp4 0 0 127.0.0.1.1033 NOT JUNK LISTEN
Go ahead, break into 127.0.0.1. I dare you.
Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK Please use fewer junk characters OK
...just because it hasn't happened yet (in the field, as it were), doesn't mean it won't happen. Apple would do better looking like they're on top of it even if it does appear to be non-event. There is no such thing as a secure system.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
This isn't about Mac security, it's about public perception of Mac security. He's calling for a VP of Marketing/Publicity for Security Issues.
//sorry for the awkwardness of that sentence)
As stated in the article, putting security in the hands of an individual is counter to Apple's philosophy of having security be a priority for everyone.
I personally think Apple's better off letting third parties defend the FUD; they seem to be doing a swell job with the last two instances. By now, no one in the know doesn't know that the past two were FUD.
Those who aren't in the know didn't even hear about it.
IMO, we should never ASK a company to add in another layer of publicity and marketing. That's asking to be mislead by slanted information, be it MS, Apple, Google, IBM, or whomever.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Microsoft's probem isn't the public perception that it has security problems. It's concrete, measurable, reality that thorns their side. It's Microsoft who floated the "Windows get hacked because its a bigger target" fantasy. But you can take a Mac out of the box and scan it and find zero open ports. A Windows machine has more than a dozen. Those ports are open for Bill's benefit, not for the customers'. Bill wants to keep his fingers in every Windows box, and won't give up that capbility in exhange for better security. Yes, the Mac probably still has some OS flaws that hackers could exploit, and thus Apple can't be complacent. But at least Steve isn't holding the door open to let the hacker inside.
Who has a "security czar" on their systems? Trusted Solaris does not. Nor does HP, nor does Trusted Vax. Back in the early 90's when I worked at HP and later at IBM, I can tell you that we had groups that went over security, but once again, no "security czar".
Or are you trying to imply that MS is now secure?
I prefer the "u" in honour as it seems to be missing these days.
Sounds to me they need to hire someone with appropiate skills in either their PR or Legal departments.
Two non-security incidents in a month almost certainly mean that they're the victim of a FUD campaign.
The right way to answer that is not to validate the fud, but
... communicate the truth - which is a function of PR, and ... make sure no-one's illegally slandering their trademark -which is a function of legal.
The latter is far more dangerous to Apple than the hypothetical security non-issues a CSO could address.If Apple had wanted to move to Windows, they could well have done so a long time ago. They even considered using the NT kernel for the next-gen Mac OS before they settled on NeXTSTEP. Thus far however, they've shown no signs that they're even considering it; and if you look at it, does it make sense? Apple are doing very well producing both the hardware and the software, and the software is definitely considered important to Apple (at the WWDC 2005, Jobs said "the heart of the Mac is its operating system"), and the OS is definitely well-loved by the Mac community (I personally adore OS X; the closest I've come to an operating system as nice as RISC OS). If Apple switched to any form of Windows, the revolt would be huge.
I see no advantages to Apple to switching to Windows; they're doing very well with OS X.
And tomorrow the stock exchange will be the human race
I've examined and compared the security features of operating systems for many years now and I can tell you one thing for certain. No "useful" operating system is invulnerable... and this includes Mac OS X, regardless of what hardware it is running on.
Of course, you could argue that it be completely locked down with no keyboard or connection to the Internet, etc... but this would be a completely moot point.
With this in mind lets consider the overall design of the security subsystem. Apple Mac OS X is much better DESIGNED than Windows in its current state. I won't delve into detail about protected memory, access controls, permissions, default configurations, open ports, etc... but out of the box Mac OS X is more "security minded" that Microsoft's Windows.
Now, keep in mind that things ARE changing. No matter how much heat Microsoft takes they are still managing to improve the quality of their product. Windows XP is a far superior product (security wise) than was 98 or ME... and it appears that the next version of Windows is even more security conscious.
In conclusion, people should not "judge" an OS based on the potential for it to have problems... they all will. Mac OS X has enjoyed a reputation for safety that is based on many factors (including having a small market share). However, the bottom line is that it is very "security aware" and has the potential for you to lock it down even more... and this is the right perspective to look at.
Matt Wong
http://www.themindofmatthew.com
Just ask Microsoft.
Or an ex-customer like me.
Perception of course matters to many people. But hopefully reality matters to many more people.
Apple, please... just please... do everything you can to keep your customers' computers safe. That's all I ask. Appoint a CSO or don't, I don't care.
Developers: We can use your help.
Instead of bleating for help howzabout looking up your question for yourself?
"university wisconsin mac challenge" are some good key words.
If you think the topic is of general interest then post back your results.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
While I don't disagree with you necessarily, I'd like to point out that that statement could have been cut an pasted from a post 6 years ago. And has yet to happen.
a man, a plan, a canal, panama
Put up a stock OS X box, with default config, and encourage the blackhat crowd to go for it. Take what they learn, apply it to the system updates, and re-iterate.
--
Don't like it? Respond with words, not karma.
How do you expect Apple to dismiss security reports as "a FUD campaign" to be fought with PR when they just released a security update that patched 20 holes and in 2005 released security updates nearly every month (nearly as often as Microsoft)? Apple didn't have to release any from Dec 2005-Feb2006, but the massive March 2006 Security Update makes up for those three months. ;-))
Apple needs to treat their holes as real problems, not just as a PR problem. And they're actually doing just that by releasing fixes and not spouting PR. Spouting PR would only make them a bigger target for hackers, just as appointing a "Security Czar" would. The latter would also undermine confidence of the general public ("If Mac is so secure, why do they need a 'Security Czar'?")
-- "I never gave these stories much credence." - HAL 9000
The second challenge debunks nothing. One challenge gave shell access, the other didn't.
The second challenge did not debunk the first challenge, it debunked the poorly written and misleading articles about the first challenge by replicating the situation the articles depicted the first challenge as being.
Only one of those actually ended up demonstrating a result.
You can't logically prove a negative. What amount of time is sufficient to show something won't ever happen?
Not to mention that the second challenge was pulled early...
But not because it was hacked. It was pulled for reasons outside the control of the person running it and certainly stood up to more than 30 minutes of attacks, thus the sensationalist articles were debunked.
Remote "shell" exploit? Why would it be a shell exploit, necessarily?
I certainly think it is likely there are remote exploits for OS X out there. There are certainly a lot of white hats and other crackers that would love the publicity this could have generated for them. There are also a lot of people that would like to quiet down the small number of uninformed, overzealous fans of OS X that at times can be quite annoying. What this has show is that remote exploits are not common enough that people can demonstrate one to show boat and they are not easy enough to find that they can be found and demonstrated by the white hats in that short a period.
Basically this confirmed what pretty much every security person already has plenty of evidence to support. The point you are missing is that while the original test was somewhat useful, the very poor articles about the original test spread misinformation and FUD that did more damage than the original test did good. It is those articles that this challenge was designed to rebuke and it has done that much at least.
At least with this story we get a peek at how Business Week sees the world. A "Security Czar" job is to create propaganda, not enforce security policies. Appointing such a person is principally "an admission of weakness", not a declaration of strength.
Who do they back on National Security issues? How do their favorite National Security spokesmodels rate?
--
make install -not war
HOWEVER, as lot has happened in the last 6 years. Right now I am running SymplyMEPIS-3.4.3 with KDE 3.50 on my Gateway m675prr laptop. KDE 3.5 is, IMO, more powerful, flexible and easier to use than Microsoft's aging XP.
no, it isn't. Let's look at KDE alone, disregarding all the complications due to the distro fascism.
KDE is utterly complicated, overpersonalizable, at the point that when you have to set something, you spend a considerable amount of time looking for the desired option diluited in a mayhem of totally confusing and mostly unused configuration options. As an old time linux user (from KDE1.0 beta4) now mac user, i totally hate this "you can configure anything" approach, because what you obtain is only an, almost highly personalizable, mess.
From some of the previews I've read of VISTA, it seems to me that KDE 3.5 or the soon to be released KDE 4.0 will give VISTA a good match, especially for basic office uses.
No. I've seen vista in action, and althogh i don't know the details, the graphic engine and polished look is way over KDE. probably it's an issue of X, i can agree, but the face of the desktop and the cleanness of the interface is no longer an option. is a must. I cannot accept to be forced, in 2006, to remove antialiasing because antialiased fonts are drawn in a so crappy way to become almost unreadable. And i'm talking about a new gentoo installation.
As to when "it" will happen, don't be suprised if "it" blindsides both you and Microsoft. It is easy to keep track of Windows or Mac OS installs because of the retail channel count. No one is tracking how many times any Linux distro is downloaded
As high can this number actually is, it's nothing compared to a steady 1% monthly gain of market share for windows XP. This trend was plotted both by google zeitgeist (before the shutdown of this statistic) and now by w3schools. And we are talking of approximated global market share.
So, even if you install 10 linux boxes per day, you have to consider that:
1) they are _nothing_ from a numerical point of view to the massive market share of win platforms, and even to the daily computer sale, even in a small reality (if compared to the world) like your city.
2) how many of these boxes actually will retain a linux configuration? i brought so many people to linux, and a lot of them went back to windows because they were unable to use it even for the simplest tasks.
3) for each box, you eventually paid an OEM windows license, so even if you hurt them in the market share, you don't hurt them in the wallet.
-- "If A equals success, then the formula is A=X+Y+Z. X is work. Y is play. Z is keep your mouth shut." - Einstein
As others have pointed out, the proposed position is a PR position. I want the real deal -- actual security not the appearance of it. On that note, the clueless keep making noise about Unix being "fundamentally more secure" than Windows, and that's bullshit. Let's be clear: the practical differences between OS X and WinXP in terms of security come down to the vendor's practices and the dilligence of the admins. There's no technological magic juice here. There are, IMO, zero fundamental differences between OS X and WinXP (or stock Linux) when it comes to the potential for local or remote vulnerabilities. Local and remote exploits are quite possible and practical on all these platforms.
Thus Apple has two approaches it can take. First, it can consider tactics that harden the system as a whole, making it much harder for exploits to work in the first place. Look to approaches such as those taken by grsecurity, SELinux, and the other layers found in hardened Linux and *BSD distros for examples. Harden the hell out of the kernel and compiler layers as baseline approach. Perhaps fund Coyotos work as a strategic-term approach, with an eye towards migrating the kernel. The room for innovation here is to present a hardened system that isn't any harder to use.
Second, Apple simply must be dilligent in identifying and fixing exploits. To that end, I'd propose that Apple offer a substantial first-reporter bounty for local and remote exploits on the Mac OS X platform. Think about it: set aside the equivalent salary+overhead of one or more good security experts. Divvy that amount out to leverage a larger community each year. I'd love to see a few students help pay their way through college this way. 8-)
Forget the illusion of no exploits -- go out, find 'em, and close 'em first.
("If Mac is so secure, why do they need a 'Security Czar'?")
Or:
- If the Mac is so fast, why do they have performance engineers?
- If the Mac is so easy to use, why do they have usabilty specialists?
- If the Mac hardware is designed so well, why do they need designers?
- If Apple is a well-run company, why do they need a CEO?
Answer to all of the above: if you want to excel in a particular area, you need people to work at it. You do well *because* you have people focusing on it.
Computers are complex machines, and you don't (generally) get any particular high-level positive attributes without doing any work. If you did, then everybody's computers would have that attribute.