Two Black Hat Talks On Apple Security Cancelled

An anonymous reader writes "Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

Marketing?

[KDR_11k]

Sounds like the marketing policy is "pretend there are no security issues". Hey, it seems to work.

Re:Marketing?

[Bloodhound+Alpha]

The Marketing policy, not the company's policy. Obviously the company releases patches, but marketing, in relation to the public, pretends there are no issues. Quite a difference really.

Re:Marketing?

[mikael_j]

Sounds like just about every large ISP I've had the "pleasure" of working with. A small ISP's president will go issue a press release saying "Lightning took out two of our DSLAMs last night but it will be fixed ASAP", they'll most likely also record an automated message informing customers calling tech support about this. A large ISP OTOH will most likely keep quiet as long as possible, then issue a small notice on their website stating "Some of our customers are currently experiencing technical difficulties, our intarweb experts are investigating the problem and hope to have it fixed soon" and no information to customers calling tech support other than "There are 173 customers ahead of you, the wait time is 2 hours and 12 minutes".

/Mikael

Re:Marketing?

[fortyonejb]

It's somewhat of a sad fact that this has been considered as fair and normal practice in the industry. Maybe because no real "safety" issues can be dragged into the mess, people who are not in the know simply do not care.

Just to make sure i'm /. approved, lets use the highly venerated auto industry. When product issues come up, auto makers must make their shortcomings public, and even issue recalls to fix said problems.

Just because my PC doesn't explode when hit from the rear, doesn't mean the shortcomings are any less valid. While of course marketing does not want anyone to know anything bad could ever happen with a Mac, it would be better for the company and its clients to have a more open dialog. Pretending there are no holes does not fill them.

Re:Marketing?

[billcopc]

When product issues come up, auto makers must make their shortcomings public

Um, no. Recalls are a business strategy like any other. The lawyers sit down with the accountants, figure out total costs for a recall and a class-action lawsuit, and pick the cheaper of the two.

You'd be shocked to find out how often the lawsuit actually ends up cheaper. That's largely because class-action settlements have a very narrow scope, and only a small portion of the customer base will actually join the class.

Re:Marketing?

[Goaway]

Apple is quiet about everything. This is not a case of Apple trying to cover up security problems, it's merely that Apple talkes about nothing, ever, and that includes security policies.

Re:Marketing?

[Bloodhound+Alpha]

Indeed, that is their strategy. It does serve though, to cover up security problems, and get people used to them acting secretive because, well, they are secretive.

Re:Marketing?

[porcupine8]

The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?

Re:Marketing?

[ScrewMaster]

'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

I'd say it's more likely that legal got wind of it, not marketing.

Sounds very logic to me.

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.
A self-acclaimed public spokesperson respresenting your company about a subject without prior permission?

You must be a veteran here but new on the job market.

Re:Sounds very logic to me.

[vertinox]

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.

For a term holder then yes, but if you are a long term, then bad PR like this isn't desirable for company image over the course of several years.

Besides, just because you don't disclose the exploit, doesn't mean it goes away.

Re:Sounds very logic to me.

[lostmongoose]

The problem is not that they need permission. The problem is that they need permission from *marketing*. This should be the legal team's job. When you let marketing make these decisions, management (not the engineers, obviously) have effectively said "There are no flaws in our product and if you say there are then we're wrong and we all know we're never wrong."

Steve is not impressed

[bxwatso]

This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this.

I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much.

Re:Steve is not impressed

[bxwatso]

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS. In that regard, MS is more proactive. Personally, I find both OS's acceptable regarding security.

I do think that a lot of people are turned off by the size of MS more than the quality of its products. A lot of people want something different to express themselves. Even when Apple truly sucked (and it did), a fair number of people stuck with them presumably to distance themselves from the giant and evil MS.

Re:Steve is not impressed

[Smurf]

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS.

Probably. But do take into account that the engineers (i.e., the people who actually KNOW the technical details) WANTED to have the discussion.

The decision to cancel it came from marketing, those who don't understand the technical details but are reasonably afraid that someone might pull a rabbit from their hat and make Macs look bad.

Apple Marketing is the "best".

Apple's marketing is genius.

A few years back, they were talking up how FileVault (home folder encryption) uses AES-128 encryption, implying that it would take longer to crack than the age of the universe.
http://www.apple.com/sg/macosx/features/filevault/

Meanwhile, the password could often be found in plain text on the hard drive in swap files. This was back before encrypting swap was an option.

It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/

I guess the default account having root access is sort of an industry standard given Windows. Phrases like "wise architectural decisions" are relative, so not strictly false. I won't touch "intelligent design".

But saying, and I quote, "The Mac OS X administrator account, unlike the Windows admin account, disables access to the core functions of the operating system." is an outright lie (see above "root privilege escalation feature").

I haven't been fucked like that since the NextCube

[billcopc]

Rule #1: You do not talk about Apple flaws
Rule #2: You DO NOT talk about Apple flaws
Rule #3: If someone says "stop" or goes limp, taps out we make him the CEO
Rule #4: Only two sentences to an argument
Rule #5: One argument at a time
Rule #6: No punch, no daiquiris
Rule #7: Cover-ups will go on as long as they have to
Rule #8: If this is your first night at Apple flaws, you HAVE to swallow

Here's a serious flaw with FileVault

[azav]

1. Create two accounts on your mac. One is a throaway with fileVault turned on.
2. Log in to both and switch to your non FileVault account.
3. Copy a large enough chunk of data to the drop box of the FileVault user so that you will ALMOST fill up the boot drive.
4. Duplicate that data to another folder on your boot drive.
5. Wait till the hard drive fills up and you have 0 K on the drive.
6. Launch Safari and load a few web pages with lots of rotating ads. This is to guarantee that more data is being brought onto the hard drive.

At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.

The sad thing is

[ILongForDarkness]

Apple makes pretty good products. But in some ways their business practices are worse than Microsofts. They are so secretive that it is scary. They add to it by attacking the PC industry and saying how their product is better but all they will give you for information is press releases. At least MS is finally being more open with want is going on in the background with things like Channel 9 and versus blogs. There is a line where you have to protect company interests but it shouldn't compromise the customers' ability to make an informed choice.

Re:Shhh, if we don't admit anything

[Sancho]

I wish there was an "incomprehensible grammar" mod....