Slashdot Mirror
Two Black Hat Talks On Apple Security Cancelled
An anonymous reader writes "Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."
This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this.
I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much.
Apple's marketing is genius.
A few years back, they were talking up how FileVault (home folder encryption) uses AES-128 encryption, implying that it would take longer to crack than the age of the universe.
http://www.apple.com/sg/macosx/features/filevault/
Meanwhile, the password could often be found in plain text on the hard drive in swap files. This was back before encrypting swap was an option.
It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/
I guess the default account having root access is sort of an industry standard given Windows. Phrases like "wise architectural decisions" are relative, so not strictly false. I won't touch "intelligent design".
But saying, and I quote, "The Mac OS X administrator account, unlike the Windows admin account, disables access to the core functions of the operating system." is an outright lie (see above "root privilege escalation feature").
It's somewhat of a sad fact that this has been considered as fair and normal practice in the industry. Maybe because no real "safety" issues can be dragged into the mess, people who are not in the know simply do not care.
/. approved, lets use the highly venerated auto industry. When product issues come up, auto makers must make their shortcomings public, and even issue recalls to fix said problems.
Just to make sure i'm
Just because my PC doesn't explode when hit from the rear, doesn't mean the shortcomings are any less valid. While of course marketing does not want anyone to know anything bad could ever happen with a Mac, it would be better for the company and its clients to have a more open dialog. Pretending there are no holes does not fill them.
I doesn't surprise me Apple's marketing team doesn't allow comment on practices, fixes or developments... they don't even get back to the people finding issues like Jon Longoria on the Spaces theoretical vulnerability. I emailed him to see if he had gotten comment and was told noone would talk with him to discuss the problem or attempt a fix. RE: http://thereformed.org/2008/05/03/theory-apple-osx-spaces-vulnerable/ . I don't really get wtf is wrong with Apple, I think they're locking up under the strain of their evolving popularity. Apple, you've actually broken into the real industry and not the hobbyist, its time to put your pants on and get open about your problems and what you're doing to fix them!
I'm not surprised really to see a corporation sponsored "Hacker" conference have talks canceled due to confidentiality agreements.
I've yet to hear a real hacker conference have their talks canceled due to something like that. Normally cancellations involve the speaker being escorted out in handcuffs.
But honestly there are far better, and more hacker-centric conferences out there than Black Hat. Conferences that come to mind are Chaos Communications Camp (or Chaos Communications Congress in the winter), Defcon, and even H.O.P.E. are far better choices than Black Hat.
There are more conferences out there that have the same "hacker spirit" but aren't as hard-core like NotaCon which has more of a social atmosphere to it.
But I digress, plan to see more of these types of cancellations at Black Hat in the future since the corporations just are looking for another excuse to line their pockets with more money. The fees for this Conference are astronomical, anywhere between $1300.00 to $5000.00 PER TALK compared to The Last H.O.P.E. where the price was ~$80.00 total as in you pay $80.00 and you get to go to EVERYTHING.
-VK
Well, of course! Apple is the underdog. Never mind the fact that is has the number one selling music player, and the market share is increasing, and that iTunes is extremely popular, and people are killing others for a iPhone...
Oh wait. Maybe Apple ISN'T the underdog. Maybe its practices are just the same as any other large company that wants to make a profit. It's no different from any others in that respect, in fact, it may be worse, as people excuse Apple for a lot, as they still think of it as the underdog.
1. Create two accounts on your mac. One is a throaway with fileVault turned on.
2. Log in to both and switch to your non FileVault account.
3. Copy a large enough chunk of data to the drop box of the FileVault user so that you will ALMOST fill up the boot drive.
4. Duplicate that data to another folder on your boot drive.
5. Wait till the hard drive fills up and you have 0 K on the drive.
6. Launch Safari and load a few web pages with lots of rotating ads. This is to guarantee that more data is being brought onto the hard drive.
At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.
- Zav - Imagine a Beowulf cluster of insensitive clods...
'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."
I'd say it's more likely that legal got wind of it, not marketing.
The higher the technology, the sharper that two-edged sword.
The "marketing got wind of it" quote from the summary is attributed to the Blackhat organizer, not Apple's marketing department. There's you daily dose of slashdot bias for ya.