Slashdot Mirror
Call for Apple Security 'Czar'
conq writes "The second security non-incident to hit the Mac platform in as many weeks has been debunked. People are talking a lot about security on the Mac these days, and the result is that a great deal of FUD is being spread around. BusinessWeek's latest Byte of The Apple column suggests that its time for Apple to appoint a security Czar to get out ahead of the FUD before it spreads much more." From the article: "Creating a CSO position may be viewed by some as an admission of weakness. Still, I say it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding, and get ahead of the curve for any troubles that may be inevitable. That may not be the case, but in matters related to product marketing, it's the public perception, not the reality that really matters. And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft."
A chief security officer? Why did an image of Lt. Worf just pop in my mind?
And yet, they still seem to be doing OK.
It's not wasting time, I'm educating myself.
I'm concerned about the security on my new Intel iMac. Do any helpful /.ers want a SSH login on my machine so that they can take a look and tell me if it's secure?
To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar
Huh? Most of the "public" I know doesn't have any lack of confidence in OS X and hasn't even heard all the latest "scares" of OS X's security. In fact, I'd venture to guess that most of the "public" knows nothing about OS X being more secure than Windows (as it isn't really an advertised fact) and think that viruses/trojans/worms, etc, are just a part of computing.
Especially if the appointee is a highly-visible and respected switcher to OSX from the open-source community.
If nothing else, it'll start an effective and accurate comparison of the state of security between OSX and Winodws, a feature of OSX that Apple has not stressed as much in their ads as they should.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
Jacques A. Vidrine was recently hired on (leaving Verio) and now holds a high level position in the Apple Information Security. Jacques was the former FreeBSD Security Officer
"Creating a CSO position may be viewed by some as an admission of weakness." - Not if they market the position like the Maytag Repair Guy...
Remember that to the average luser, anything made by Microsoft is top-notch. If it weren't, they wouldn't be in the position they're in market-wise. It's all those damn "hackers" out there that cause the problems, not Microsoft.
This guy's the limit!
Why is it we have so many 'Czar' titles nowadays?
.......
What about other titles for potentates?
'Chief' 'King' 'Master' 'Commander' 'Lord'
Microsoft's probem isn't the public perception that it has security problems. It's concrete, measurable, reality that thorns their side. It's Microsoft who floated the "Windows get hacked because its a bigger target" fantasy. But you can take a Mac out of the box and scan it and find zero open ports. A Windows machine has more than a dozen. Those ports are open for Bill's benefit, not for the customers'. Bill wants to keep his fingers in every Windows box, and won't give up that capbility in exhange for better security. Yes, the Mac probably still has some OS flaws that hackers could exploit, and thus Apple can't be complacent. But at least Steve isn't holding the door open to let the hacker inside.
it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding
While I agree that every company that sells operating systems should take security seriously, and that having somebody responsible is practically always a prerequisite to being "serious", it's really too bad that people don't seem to absorb a bit more reasoning skill by the time they get out of school.
Sure, Apple's relatively superior security record "may" erode as they start to gain market share and visibility to the black hats. In fact I'd say there's not much room for it to go other than the direction of erosion. However, we don't have any evidence that that anything like a disaster is about to happen. You can posit that terrible things may happen, and nobody can prove you wrong. You could posit that Steve Jobs is the vanguard of an alien mind-control invasion, and nobody could prove that wrong either. These are the sort of things that can only be proved in an affirmative sense: some researcher finds a vulnerabilityin the Mac OS authentication system, or tentacles suddenly springing from Steve's head.
Right now I'd say the biggest problem are the Mac user base's overconfidence. While back in the day, Mac users did struggle quite a bit with viruses, which were oh-so-much more interesting to write for the more advanced Mac platform than for DOS, recently, they're getting a bit cocky. They're not as used to the security patch grind as the people running Windows.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Who has a "security czar" on their systems? Trusted Solaris does not. Nor does HP, nor does Trusted Vax. Back in the early 90's when I worked at HP and later at IBM, I can tell you that we had groups that went over security, but once again, no "security czar".
Or are you trying to imply that MS is now secure?
I prefer the "u" in honour as it seems to be missing these days.
He will be able to work closely with the Quality Emperor. Both ultimately report to the Development Shogun. His office is just down the hall from the Usability Kaiser.
Every week, they hold a cross group meeting with the Sultan of Marketing, the Sales Duchess, and the Distribution Führer. They all are answerable to the Grand Baron of Charging More for Stuff because it is Shiny (he prefers people call him Tim, for brevity).
${YEAR+1} is going to be the year of Linux on the desktop!
Sounds to me they need to hire someone with appropiate skills in either their PR or Legal departments.
Two non-security incidents in a month almost certainly mean that they're the victim of a FUD campaign.
The right way to answer that is not to validate the fud, but
... communicate the truth - which is a function of PR, and ... make sure no-one's illegally slandering their trademark -which is a function of legal.
The latter is far more dangerous to Apple than the hypothetical security non-issues a CSO could address.from a group secretly funded by Microsoft who call themselves "OS X Veterans for Truth."
Pictures of Jane Fonda on her iMac will be forthcoming.
Personally I think they'd be better served by concentrating on improving their security, rather than concentrating on improving their security-related PR.
.jpg. Exploits based on getting the operating system confused about filetype mismatches are really the kind of thing we should not be seeing in 2006, especially since (1) OS X has had security issues of this exact same type before and (2) this is the exact kind of exploit which is the basis for many Windows e-mail worms. Apple needs to take this seriously.
Analysts and bloggers crowing endlessly about "Apple/Linux/Firefox/whatever don't have better security, they're just smaller" gets attention for a little while, but just let time pass. Eventually people realize they're being cried wolf to. After a few years people will have forgotten the bloggers, but will remember whatever the next major Windows worm incident that gets on the nightly news turns out to be.
Unfortunately, this only works if you really do have better security. And while this article is just talking about media events like the mac mini challenge as if they're all that matters, Apple has had real security problems of late. Whether or not the mac mini challenge was important for real security there are apparently some os x privilidge escalation exploits floating around, and there was that incredibly embarrassing bug awhile back where Safari could be tricked into launching a shell script as if it were a
Taking this seriously does not mean-- as the article suggests-- appointing someone to talk to the press about how great Apple's security is. It means actually fixing the problems, and making some effort to see what other problems might be out there. PR is temporary, and if you do too much of it it can backfire (as people start to assume anything positive they read about your platform is just a result of PR). Real security problems like the filetype bug I mention can impact your reputation for years, no matter how much you try to spin them.
Speaking of which, there was a new security update on Apple Software Update this week. Anyone know what exactly that covered? Is the jpg/sh MIME or whatever problem fixed yet?
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
How do you expect Apple to dismiss security reports as "a FUD campaign" to be fought with PR when they just released a security update that patched 20 holes and in 2005 released security updates nearly every month (nearly as often as Microsoft)? Apple didn't have to release any from Dec 2005-Feb2006, but the massive March 2006 Security Update makes up for those three months. ;-))
Apple needs to treat their holes as real problems, not just as a PR problem. And they're actually doing just that by releasing fixes and not spouting PR. Spouting PR would only make them a bigger target for hackers, just as appointing a "Security Czar" would. The latter would also undermine confidence of the general public ("If Mac is so secure, why do they need a 'Security Czar'?")
-- "I never gave these stories much credence." - HAL 9000