Slashdot Mirror
Two Black Hat Talks On Apple Security Cancelled
An anonymous reader writes "Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."
Sounds like the marketing policy is "pretend there are no security issues". Hey, it seems to work.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
1. Cancel Security Talks
2. ???
3. Profit!
the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.
http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
http://biz.yahoo.com/ap/080708/cheney_climate.html
is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.
http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying
dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);
http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html
the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.
corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7
as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of
From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.
A self-acclaimed public spokesperson respresenting your company about a subject without prior permission?
You must be a veteran here but new on the job market.
tl;dr
if we kill those marketing people, the world is going to be a much better place. preferred method should be beating to death by a stick.
of course, thats excluding nycl from the lawyers list.
Read radical news here
Again, this is the perfect example of not admitting that there is a "problem" and willing to fix it ...
SB
Minutetraders | Voice Exchange Marketplace - Buy/Sell
I guess, Apple is still very much old school; when it comes to admitting their mistakes. Or they just might believe in security thru obscurity. Either way this move, put them in the lime light even more. Great work marketing. Someone deserves to be fired...
It's evident now: "Security by obscurity".
...it sounds like. That's "(perceived security) through obscurity", not "perceived (security through obscurity)". Well, mabye that too.
i don't know how, but this is definitely MS's fault. those sneaky pricks at MS have found a way to force apple into using their patented security model.
If you mod me down, I will become more powerful than you can imagine....
you would want exploits in your system known. say your running a bunch of servers or selling a software product, would you like people to know how to make you lose time/money?
sarcasm > bash
Comment removed based on user account deletion
This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this.
I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much.
Who are intersted users. BSD/OS core team. ThAey empire in decline,
Apple's marketing is genius.
A few years back, they were talking up how FileVault (home folder encryption) uses AES-128 encryption, implying that it would take longer to crack than the age of the universe.
http://www.apple.com/sg/macosx/features/filevault/
Meanwhile, the password could often be found in plain text on the hard drive in swap files. This was back before encrypting swap was an option.
It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/
I guess the default account having root access is sort of an industry standard given Windows. Phrases like "wise architectural decisions" are relative, so not strictly false. I won't touch "intelligent design".
But saying, and I quote, "The Mac OS X administrator account, unlike the Windows admin account, disables access to the core functions of the operating system." is an outright lie (see above "root privilege escalation feature").
While it's pretty sad to hear that their security team is not allowed to speak, there are still two talks about Apple products left: Jesse Dâ(TM)Aguannoâ(TM)s talk about rootkits for OS X, and Petko D. Petkov who announced he might provide some details about a 0-day attack against Quicktime.
Rule #1: You do not talk about Apple flaws
Rule #2: You DO NOT talk about Apple flaws
Rule #3: If someone says "stop" or goes limp, taps out we make him the CEO
Rule #4: Only two sentences to an argument
Rule #5: One argument at a time
Rule #6: No punch, no daiquiris
Rule #7: Cover-ups will go on as long as they have to
Rule #8: If this is your first night at Apple flaws, you HAVE to swallow
-Billco, Fnarg.com
All the mac uses I know have brown hats, not black ones.
You thought my name meant what? How very dare you!
I doesn't surprise me Apple's marketing team doesn't allow comment on practices, fixes or developments... they don't even get back to the people finding issues like Jon Longoria on the Spaces theoretical vulnerability. I emailed him to see if he had gotten comment and was told noone would talk with him to discuss the problem or attempt a fix. RE: http://thereformed.org/2008/05/03/theory-apple-osx-spaces-vulnerable/ . I don't really get wtf is wrong with Apple, I think they're locking up under the strain of their evolving popularity. Apple, you've actually broken into the real industry and not the hobbyist, its time to put your pants on and get open about your problems and what you're doing to fix them!
I'm not surprised really to see a corporation sponsored "Hacker" conference have talks canceled due to confidentiality agreements.
I've yet to hear a real hacker conference have their talks canceled due to something like that. Normally cancellations involve the speaker being escorted out in handcuffs.
But honestly there are far better, and more hacker-centric conferences out there than Black Hat. Conferences that come to mind are Chaos Communications Camp (or Chaos Communications Congress in the winter), Defcon, and even H.O.P.E. are far better choices than Black Hat.
There are more conferences out there that have the same "hacker spirit" but aren't as hard-core like NotaCon which has more of a social atmosphere to it.
But I digress, plan to see more of these types of cancellations at Black Hat in the future since the corporations just are looking for another excuse to line their pockets with more money. The fees for this Conference are astronomical, anywhere between $1300.00 to $5000.00 PER TALK compared to The Last H.O.P.E. where the price was ~$80.00 total as in you pay $80.00 and you get to go to EVERYTHING.
-VK
1. Create two accounts on your mac. One is a throaway with fileVault turned on.
2. Log in to both and switch to your non FileVault account.
3. Copy a large enough chunk of data to the drop box of the FileVault user so that you will ALMOST fill up the boot drive.
4. Duplicate that data to another folder on your boot drive.
5. Wait till the hard drive fills up and you have 0 K on the drive.
6. Launch Safari and load a few web pages with lots of rotating ads. This is to guarantee that more data is being brought onto the hard drive.
At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.
- Zav - Imagine a Beowulf cluster of insensitive clods...
This is Jobs. Jobs has bitch-tits.
Apple makes pretty good products. But in some ways their business practices are worse than Microsofts. They are so secretive that it is scary. They add to it by attacking the PC industry and saying how their product is better but all they will give you for information is press releases. At least MS is finally being more open with want is going on in the background with things like Channel 9 and versus blogs. There is a line where you have to protect company interests but it shouldn't compromise the customers' ability to make an informed choice.
Rule #34: There's an iPod silhouette poster of it. No exceptions.
Rule #35: If there isn't an iPod silhouette of it, Jobs will make an iPod silhouette advertisement of it.
(MOAR!)
'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."
Then Apple marketing people aren't very smart, are they? Because it sure isn't helping the perception that Apple is lax on security.
Main difference between the BSD license and the GPL license: one is from California and the other is from Massachusetts
Apple reality distortion has been been going on since the Apple ][ days, lying about sales, and popularity "We're #1" (Behind Radio Shack and Commodore...) Saying less is better (more flexible! just add bunches of cards), etc.
Such current ones I note are: the bolstering of 'intuitive' and 'just works' Those are actually brought over from old MacOS days. OSX may be prettier but the UI guidelines for intuitive behavior deied with Mail and AddressBook, and printer management. Just works only applies to mac-to-mac when networking, try to do Linux or Windows Servers and your milage may vary.
Also with the change from AppleWorks to iWork take a chunk out of compatibility too (AppleWorks at least had a Windows version).
We've been using Macs here since the floppy-only Plus and SE and there was quite a usability hit with OSX - maybe networking has improved (SMB) but application,usability and interfaces became really confused.
Worry about Apple, people may be jumping from Windows for one reason or another to easily soon end up with similar lock-in on the Mac. We will still use Macs here, as they are initially more secure then Windows and easy to use but I tread carefully not to employ dead-end applications like iWork and lock us into only Macs.
Obviously Marketing rules at Apple. And you're surprised -- why?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Hacker "Hai dude your OS is insecure"
Apple "No, it is perfectly secure"
Hacker" Seriously, duuuude, watch me hack your machine"
Apple "Can't be done, our software was blesses by the gods of Steve"
Hacker" Duude, Im not kidding Im in your machine, watch as I buy some child porn with your credit card"
Apple "Ha, all a figment of your imagination, our marketing department says we have the best operating system in existence"
FBI "excuse me sir I would like to talk to you regarding the purchase of illicit child porn"
Apple [while being dragged away] "I can assure you this has nothing to do with our operating system "
Hacker "hmm bummer, did that fed have a macbook, he looks like an anal sex type of guy to me heh"
[clickety clickety]
chmod go-w ~/Public/Drop\ Box
Admittedly - it is a problem, but it certainly has a workaround.
The secret to creativity is knowing how to hide your sources. - Albert Einstein
This is a stumbling block on Apple's road to the enterprise. That's out of alignment with the technology plan for Snow Leopard server, which includes many new features directly aimed at supporting the mid-sized enterprise.
Combine that with the general trend towards browser-as-client, and with the advent of VMware Fusion and Parallels, and at a time when there's no compelling case to deploy Vista during a desktop refresh. Apple have significant position to attack the enterprise desktop & backend.
However: transparency, rapid response, and disclosure rule the day with competent corporate security teams and this kind of a malarky just won't wash with my guys.
Apple Security? That seems like one of them there oxymorons, like Fiscal Conservative, or Republican Thought.
Anyone who knows anything knows Apple and Security don't even belong in the same language, much less sitting next to each other in a sentence.
Hallo, zis is Herr Flick of ze Gestapo, you are not allowed to speak publicly about security matters of the Reich. You may kiss me now Helga.
1. It only encrypts home directory; /tmp, /var/log, and what have you are still unencrypted
2. Turning on FileVault doesn't automatically enable encrypted SWAP (minor problem, as it is easily addressed)
3. When computer goes into safe sleep, contents of RAM are written to disk - the key is in plain text!
4. Volume Key is unlocked from log in password. This is massively inconvenient, as I would like to have the crypto well protected, but my user account - not so much. So I wound up having a 30 character login password.
5. MOST DISCONCERTING: The Volume key is actually encrypted using the login password. This is common cryptographic practice, as it allows for password changes and more cryptographically secure keys for disk encryption. However, the encryption used on the volume key is 3DES, with effective key length of 112 bits. This significantly reduces the key space (from 128 bit AES used on FileVault) .
Later versions of FileVault can also use 1024bit RSA to encrypt the volume key. In this case, the cryptographic strength is ~80bits.
I'm curious if this works with Filevault accounts created under OS X 10.4.7 or later versions of OS X?
10.4.7 changed the way the AES key is stored. Before it was at the end of the Filevault disk image, which meant the key would have to be rewritten when the disk image expanded, which meant there was a dangerously high probability it might not be saved back correctly, thus rendering the image unusable. Since 10.4.7 it has been at the beginning of the disk image, so it never needs to be rewritten.
If the problem the parent described was due to the (encrypted) AES key not being rewritten, then 10.4.7 should have fixed it.
Apple doe NOT get brownie points for how it originally chose to store the key, among other Filevault design deficiencies. {insert frowny face here}
Please let us know...
Hackers: We're gonna present security issues with Apple solutions at the Black Hat Conference in Vegas! Its going to be great!
Apple Marketing: *Waves hand*...There are no security issues with Apple products.
Hackers: There are no security issues with Apple products.
Apple Marketing: You will withdraw your presentations.
Hackers: We will withdraw our presentations.
Apple Marketing: You want to be in Apple's "PC and Mac" TV ads.
Hackers: We want to be...No we don't!
Information is very clear... sounds interesting.. Thanks friend:) regards, www.elechub.com
I find it amusing that the Darwin kernel and MacOS X system software evolved from OpenBSD, another secretive project run by a paranoid lunatic.
The "marketing got wind of it" quote from the summary is attributed to the Blackhat organizer, not Apple's marketing department. There's you daily dose of slashdot bias for ya.
(completely ignoring any issues of intentional inaccuracy)
The difference between DeRaadt and Jobs is how they want things fixed.
DeRaadt gets the issue solved. Jobs takes a page from Cisco and IBM by sending lawyers until the person is gone from the earth.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
I am pretty sure charles edge did not figure this out and just canceled because he did not have any....code!
One thing that bugs me about Apple products is they take ease of use over functionality. For example power setting for laptop doesn't let you step down the speed of the CPU you just set it to some warm and fuzzy "Better Energy Savings" and hope the designers got it right. Often I need tools that a real UNIX would have so I got MacPorts and mode the hell out of it so that I can do what I'm used too.