Two Black Hat Talks On Apple Security Cancelled

An anonymous reader writes "Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

Marketing?

[KDR_11k]

Sounds like the marketing policy is "pretend there are no security issues". Hey, it seems to work.

Re:Marketing?

[Bloodhound+Alpha]

The Marketing policy, not the company's policy. Obviously the company releases patches, but marketing, in relation to the public, pretends there are no issues. Quite a difference really.

Re:Marketing?

[mikael_j]

Sounds like just about every large ISP I've had the "pleasure" of working with. A small ISP's president will go issue a press release saying "Lightning took out two of our DSLAMs last night but it will be fixed ASAP", they'll most likely also record an automated message informing customers calling tech support about this. A large ISP OTOH will most likely keep quiet as long as possible, then issue a small notice on their website stating "Some of our customers are currently experiencing technical difficulties, our intarweb experts are investigating the problem and hope to have it fixed soon" and no information to customers calling tech support other than "There are 173 customers ahead of you, the wait time is 2 hours and 12 minutes".

/Mikael

Re:Marketing?

[fortyonejb]

It's somewhat of a sad fact that this has been considered as fair and normal practice in the industry. Maybe because no real "safety" issues can be dragged into the mess, people who are not in the know simply do not care.

Just to make sure i'm /. approved, lets use the highly venerated auto industry. When product issues come up, auto makers must make their shortcomings public, and even issue recalls to fix said problems.

Just because my PC doesn't explode when hit from the rear, doesn't mean the shortcomings are any less valid. While of course marketing does not want anyone to know anything bad could ever happen with a Mac, it would be better for the company and its clients to have a more open dialog. Pretending there are no holes does not fill them.

Re:Marketing?

[falcon5768]

Well the issue is from a marketing perspective it DOES look bad, but from USER perspective it looks good, but only to those of us in the industry who care, which is NOT who marketing is going after.

Re:Marketing?

[billcopc]

When product issues come up, auto makers must make their shortcomings public

Um, no. Recalls are a business strategy like any other. The lawyers sit down with the accountants, figure out total costs for a recall and a class-action lawsuit, and pick the cheaper of the two.

You'd be shocked to find out how often the lawsuit actually ends up cheaper. That's largely because class-action settlements have a very narrow scope, and only a small portion of the customer base will actually join the class.

Re:Marketing?

[Goaway]

Apple is quiet about everything. This is not a case of Apple trying to cover up security problems, it's merely that Apple talkes about nothing, ever, and that includes security policies.

Re:Marketing?

[Bloodhound+Alpha]

Indeed, that is their strategy. It does serve though, to cover up security problems, and get people used to them acting secretive because, well, they are secretive.

Re:Marketing?

[Truekaiser]

thats because job's is a egomaniac. any flaw means there was a mistake and egomaniacs think they never make mistakes.

Re:Marketing?

[alex4u2nv]

Its a very good practice to leave holes open for script kiddies.

--
Hide the problem until there's an avalanche in your face?

Re:Marketing?

[porcupine8]

The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?

Re:Marketing?

[Poltras]

The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?

Damn, you forgot the first rule!

Re:Marketing?

[ScrewMaster]

'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

I'd say it's more likely that legal got wind of it, not marketing.

Sounds very logic to me.

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.
A self-acclaimed public spokesperson respresenting your company about a subject without prior permission?

You must be a veteran here but new on the job market.

Re:Sounds very logic to me.

[vertinox]

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.

For a term holder then yes, but if you are a long term, then bad PR like this isn't desirable for company image over the course of several years.

Besides, just because you don't disclose the exploit, doesn't mean it goes away.

Re:Sounds very logic to me.

[lostmongoose]

The problem is not that they need permission. The problem is that they need permission from *marketing*. This should be the legal team's job. When you let marketing make these decisions, management (not the engineers, obviously) have effectively said "There are no flaws in our product and if you say there are then we're wrong and we all know we're never wrong."

Shhh, if we don't admit anything

[CrypticSpawn]

I guess, Apple is still very much old school; when it comes to admitting their mistakes. Or they just might believe in security thru obscurity. Either way this move, put them in the lime light even more. Great work marketing. Someone deserves to be fired...

Re:Shhh, if we don't admit anything

[Sancho]

I wish there was an "incomprehensible grammar" mod....

Re:Marketing == American lawyers

[MyLongNickName]

preferred method should be beating to death by a stick.
My guess is you lack the upper body strength to pick up a stick.

Steve is not impressed

[bxwatso]

This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this.

I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much.

Re:Steve is not impressed

[eclectic4]

"This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this."

Why? I didn't read anywhere in this article that stated Mac OS X is less secure than Windows... as it would be just plain silly.

"I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much."

You may be right. But it doesn't change the fact that more and more consumers are simply realizing that Apple sucks less than Microsoft in almost every area. But, I can only assume that's what you meant would be the benefit of people "perceiving" Apple as underdogs, as you also didn't state this. Suggesting that being perceived as underdogs would increase sales is, well... also very silly.

Re:Steve is not impressed

[bxwatso]

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS. In that regard, MS is more proactive. Personally, I find both OS's acceptable regarding security.

I do think that a lot of people are turned off by the size of MS more than the quality of its products. A lot of people want something different to express themselves. Even when Apple truly sucked (and it did), a fair number of people stuck with them presumably to distance themselves from the giant and evil MS.

Re:Steve is not impressed

[azav]

You are absolutely correct. It still sucks, it just sucks less.

I remember the Apple internal code name for their sound manager in or around 1989. It was called Barking Pumpkin and their motto was "it just sucks less."

Re:Steve is not impressed

[Smurf]

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS.

Probably. But do take into account that the engineers (i.e., the people who actually KNOW the technical details) WANTED to have the discussion.

The decision to cancel it came from marketing, those who don't understand the technical details but are reasonably afraid that someone might pull a rabbit from their hat and make Macs look bad.

Re:Steve is not impressed

[porcupine8]

Not necessarily - if they are more secure than Vista, but less secure than the current public perception, then why would they want to bring public perception of their security down, even if it's still higher than Vista?

Apple Marketing is the "best".

Apple's marketing is genius.

A few years back, they were talking up how FileVault (home folder encryption) uses AES-128 encryption, implying that it would take longer to crack than the age of the universe.
http://www.apple.com/sg/macosx/features/filevault/

Meanwhile, the password could often be found in plain text on the hard drive in swap files. This was back before encrypting swap was an option.

It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/

I guess the default account having root access is sort of an industry standard given Windows. Phrases like "wise architectural decisions" are relative, so not strictly false. I won't touch "intelligent design".

But saying, and I quote, "The Mac OS X administrator account, unlike the Windows admin account, disables access to the core functions of the operating system." is an outright lie (see above "root privilege escalation feature").

There are still some Apple-related talks left:

[secmartin]

While it's pretty sad to hear that their security team is not allowed to speak, there are still two talks about Apple products left: Jesse Dâ(TM)Aguannoâ(TM)s talk about rootkits for OS X, and Petko D. Petkov who announced he might provide some details about a 0-day attack against Quicktime.

I haven't been fucked like that since the NextCube

[billcopc]

Rule #1: You do not talk about Apple flaws
Rule #2: You DO NOT talk about Apple flaws
Rule #3: If someone says "stop" or goes limp, taps out we make him the CEO
Rule #4: Only two sentences to an argument
Rule #5: One argument at a time
Rule #6: No punch, no daiquiris
Rule #7: Cover-ups will go on as long as they have to
Rule #8: If this is your first night at Apple flaws, you HAVE to swallow

Not Surprised

I'm not surprised really to see a corporation sponsored "Hacker" conference have talks canceled due to confidentiality agreements.

I've yet to hear a real hacker conference have their talks canceled due to something like that. Normally cancellations involve the speaker being escorted out in handcuffs.

But honestly there are far better, and more hacker-centric conferences out there than Black Hat. Conferences that come to mind are Chaos Communications Camp (or Chaos Communications Congress in the winter), Defcon, and even H.O.P.E. are far better choices than Black Hat.

There are more conferences out there that have the same "hacker spirit" but aren't as hard-core like NotaCon which has more of a social atmosphere to it.

But I digress, plan to see more of these types of cancellations at Black Hat in the future since the corporations just are looking for another excuse to line their pockets with more money. The fees for this Conference are astronomical, anywhere between $1300.00 to $5000.00 PER TALK compared to The Last H.O.P.E. where the price was ~$80.00 total as in you pay $80.00 and you get to go to EVERYTHING.

-VK

Re:definately MS's doing

[Tom90deg]

Well, of course! Apple is the underdog. Never mind the fact that is has the number one selling music player, and the market share is increasing, and that iTunes is extremely popular, and people are killing others for a iPhone...

Oh wait. Maybe Apple ISN'T the underdog. Maybe its practices are just the same as any other large company that wants to make a profit. It's no different from any others in that respect, in fact, it may be worse, as people excuse Apple for a lot, as they still think of it as the underdog.

Here's a serious flaw with FileVault

[azav]

1. Create two accounts on your mac. One is a throaway with fileVault turned on.
2. Log in to both and switch to your non FileVault account.
3. Copy a large enough chunk of data to the drop box of the FileVault user so that you will ALMOST fill up the boot drive.
4. Duplicate that data to another folder on your boot drive.
5. Wait till the hard drive fills up and you have 0 K on the drive.
6. Launch Safari and load a few web pages with lots of rotating ads. This is to guarantee that more data is being brought onto the hard drive.

At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.

Re:Here's a serious flaw with FileVault

[lukas84]

As i understood it, one user can fuck up another users account, without the need for administrative privileges.

This *is* an issue.

Re:Here's a serious flaw with FileVault

[bill_mcgonigle]

Here's another: You can't use Time Machine properly if you use FileVault. Backup or encryption, pick one.

The sad thing is

[ILongForDarkness]

Apple makes pretty good products. But in some ways their business practices are worse than Microsofts. They are so secretive that it is scary. They add to it by attacking the PC industry and saying how their product is better but all they will give you for information is press releases. At least MS is finally being more open with want is going on in the background with things like Channel 9 and versus blogs. There is a line where you have to protect company interests but it shouldn't compromise the customers' ability to make an informed choice.

Re:The sad thing is

[ScrewMaster]

I'd say it's more like Apple is dependent upon the consumers in their chosen market segment being (to a certain degree) computer illiterate. And let's face it, computer illiterates aren't likely to make an informed choice when it comes to buying a computer or choosing an OS. All they can do is follow marketing fluff about simplicity and ease-of-use.

Now, that's no dig at Apple's products ... by and large they deliver on what their market-droids promise. It's just that Apple made the conscious choice to target people who are often really too stupid to use a computer.

Solution:

[e4g4]

chmod go-w ~/Public/Drop\ Box

Admittedly - it is a problem, but it certainly has a workaround.

Quote out-of-context

[stewbacca]

The "marketing got wind of it" quote from the summary is attributed to the Blackhat organizer, not Apple's marketing department. There's you daily dose of slashdot bias for ya.