Apple Joins 'Em, With Black Hat Presentation on iOS Security Model

← Back to Stories (view on slashdot.org)

Apple Joins 'Em, With Black Hat Presentation on iOS Security Model

Posted by timothy on Tuesday July 24, 2012 @04:25AM from the without-the-groucho-glasses-at-least dept.

An anonymous reader writes with this excerpt from Network World: "For the first time, Apple will officially be in attendance at the annual Black Hat security conference which is scheduled to run through Thursday of this week. This is a notable development for two reasons. First, Apple has never formally attended the conference. Two, many of the more prominent stories to emerge out of previous Black Hat events have centered on Apple security. Representing Apple at the conference will be Apple platform security manager Dallas De Atley who is scheduled to deliver a speech on Thursday about the security technologies in iOS. Some have speculated that Apple's decision to attend the conference is rooted in their desire to make further inroads in the enterprise market while others believe it's a sign that Apple recognizes the growing importance of having a more open relationship with the hacker community at large."

34 comments

Min score:

Reason:

Sort:

Neither by Anonymous Coward · 2012-07-24 04:31 · Score: 0, Funny

It's so that they get a bully pulpit to reproclaim how much nicer iOS is because, "It doesn't get Windows viruses."
It was said at Black Hat, therefore it is true!
1. Re:Neither by SJHillman · 2012-07-24 04:50 · Score: 1
  
  At least they pulled that claim from their website
2. Re:Neither by Penguinisto · 2012-07-24 05:14 · Score: 3, Insightful
  
  Actually, I think it's a damned good thing for any vendor to do.
  BH has been a solid source of good old fashioned hacking knowledge (I daresay second only to 2600 back in that publication's heyday).
  Most folks here know that the best way to make secure software (or at least improve what you've got) is to talk and interact with the hobbyists who love tearing it apart. But instead of lavishing time and attention on attention-whores like (IMHO) Charlie Miller, it's better to instead take the time and get in the effing trenches, away from the press and the bloggers.
  The only negatives I can see is that it might just be lip service. If Apple is serious about this, it had damned well bring more to the table than marketing copy.
  TBH, if Microsoft did this I'd applaud the move... not holding my breath on that one happening, though.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
3. Re:Neither by LordLimecat · 2012-07-24 05:49 · Score: 2
  
  Somehow I dont think that kind of speech flies super well @ BlackHat.
  Hopefully good things come from this-- I think its absurd when people try to claim that Macs are immune to viruses, and certainly Apple has some blame for that perception; but Im not about to slam them for taking at least a token step towards being serious about security.
  We've seen year to year in the Pwn2Own conferences that OSX certainly can be compromised, and I think by now it is clear that the only way to be "secure" is to invite the hacking community to form a relationship where they do the hard work of finding exploits and the vendor rewards their effort with financial rewards. Certainly if you go to the googlechromereleases.blogspot.com Chrome dev blog, you will see a couple of recurring faces in the "exploit disclosure and reward" section; Im sure Chrome's respectable security is due at least in part to this outsourced, commissions based model of checking for exploits. It doesnt really matter how brilliant your engineering team is, your software will have holes, and the more motivated eyes are on your security the better your product will become.
4. Re:Neither by mcgrew · 2012-07-24 05:50 · Score: 1
  
  Nevertheless, it was true. iOS can get trojans -- any OS can. But Windows is (I should say "was"?) the only OS you could get infected just from viewing an email or a web page. Every other OS requires you to do something stupid to get infected.
  
  --
  Free Martian Whores!
5. Re:Neither by Anonymous Coward · 2012-07-24 06:46 · Score: 0
  
  I don't know about that... I jailbroke my first iPod touch by going to a website and clicking a link that said "Jailbreak Me". It used a buffer overflow in libpng to jailbreak and reboot my phone without any further interaction on my part. Hands down the easiest "rooting" i've ever done. I guess Apple really does make things easy...
6. Re:Neither by Anonymous Coward · 2012-07-24 08:09 · Score: 0
  
  It was an accurate claim and not about iOS. You're just an empty headed troll.
7. Re:Neither by Anonymous Coward · 2012-07-24 09:29 · Score: 0
  
  Nevertheless, it was true. iOS can get trojans -- any OS can. But Windows is (I should say "was"?) the only OS you could get infected just from viewing an email or a web page. Every other OS requires you to do something stupid to get infected.
  Just say Windows popularized it, because nothing is that absolute. It very well may have been possible on other platforms but unnoticed or patched before anyone cared to exploit it. A short stroll down the CERT vulnerability list will find many once-open attack vectors and you can ponder from there what could have been.
  Also, "something stupid" is entirely subjective. Opening email from strangers was once "stupid" but the right answer is fixing the software, not blaming the user. Executable/installer signing might be the right answer to "don't run software from untrusted sources".
Know your enemy? by BeerCat · 2012-07-24 04:32 · Score: 3, Insightful

"Some have speculated that Apple's decision to attend the conference is rooted in their desire to make further inroads in the enterprise market while others believe it's a sign that Apple recognizes the growing importance of having a more open relationship with the hacker community"
Or maybe it's to find out at first hand what the black hats are planning - the quid pro quo is to make some presentations.

--
"She's furniture with a pulse"
1. Re:Know your enemy? by wiedzmin · 2012-07-24 04:39 · Score: 3, Interesting
  
  I don't know if BlackHat conference is the right place to find out what the black hats are planning, they should go to at least DefCon for that. I think it's the former - they're just trying to pretend that they do security by flashing their name in front of predominantly business audience that comprises BlackHat today. It's good for selling iPhones to executives.
  
  --
  Bow before me, for I am root.
2. Re:Know your enemy? by BeerCat · 2012-07-24 05:01 · Score: 2
  
  I think you could be right - it's 'tick boxing', which is beloved of corporate IT departments.
  Corporate IT: "Do you do ..."
  Vendor: "Yes, we do"
  C IT:"What about security?"
  V: "Obvious - we attended BlackHat"
  C IT: "OK, I'll take that as a given"
  PHBs will stop there. Non corporate IT will want to know "But what about DefCon. And, what did you _actually_ do at BlackHat"
  
  --
  "She's furniture with a pulse"
3. Re:Know your enemy? by Anonymous Coward · 2012-07-24 07:12 · Score: 0
  
  Apple's had people at the conference in the past, they just haven't presented.
4. Re:Know your enemy? by tlhIngan · 2012-07-24 07:24 · Score: 1
  
  Apple's attended BH over the years. This is probably the FIRST time they're actually presenting though.
  They've been to BH usually as "plainclothes employees" who don't idenify themselves as Apple employees (they only get recognized if you know them).
  Nothing really new, and it's really just to present some iOS security architecture that they released a document on a few months ago.
5. Re:Know your enemy? by Anonymous Coward · 2012-07-24 08:43 · Score: 0
  
  Or maybe it's to find out at first hand what the black hats are planning - the quid pro quo is to make some presentations.
  that or they're gonna find out how people are exploiting ios/osx, patent the methods, then sue the crap out of the black hats
Lol, no... by santax · 2012-07-24 04:37 · Score: 0, Troll

"while others believe it's a sign that Apple recognizes the growing importance of having a more open relationship with the hacker community at large." Lol, no... Apple is run by the people who are described perfectly and in great detail in the book 'snakes in suits'. Psychopaths that is... They do not want to have an open relationship. They need something from you. Probably an add will come on later: 'we work closely with the hacker community to make our stuff more secure" but we all know what happens when you find a bug, exploit or whatever on their devices and store. You get banned and sued right into oblivion.
1. Re:Lol, no... by santax · 2012-07-24 05:13 · Score: 1, Funny
  
  No you get your house raided by the cops lol :') This is Apple people. It good to see that you apple-employees have some accounts here and some mod-points, but it won't make it go away. This isn't your app-store ;)
2. Re:Lol, no... by tepples · 2012-07-24 05:34 · Score: 1
  
  we all know what happens when you exploit in the wild, without first reporting to Apple's security team a bug, exploit or whatever
  FTFY.
  Perhaps someone did report it to Apple's security team, but Apple's security team didn't act in a responsible manner. This happened with another company whose devices use another operating system called iOS: when a hacker reported a security problem in the Wii system software to Nintendo, Nintendo demanded to speak to the hacker's employer.
3. Re:Lol, no... by Grudge2012 · 2012-07-24 05:38 · Score: 1
  
  No you get your house raided by the cops lol :')
  
  Okay, who got his house raided by the cops (LOL or not) after he found a bug in any of Apple's products?
4. Re:Lol, no... by carou · 2012-07-24 05:45 · Score: 1
  
  Perhaps someone did report it to Apple's security team, but Apple's security team didn't act in a responsible manner. This happened with another company whose devices use another operating system called iOS: when a hacker reported a security problem in the Wii system software to Nintendo, Nintendo demanded to speak to the hacker's employer.
  Do you have a link for more information? I couldn't find anything about this with a brief google search.
  Anyway, there are several several examples of Apple crediting the discoverer in bug fixes, so I don't know why everybody here is jumping to the opposite conclusion.
5. Re:Lol, no... by RyuuzakiTetsuya · 2012-07-24 07:22 · Score: 1
  
  "Weâ(TM)re Apple. We donâ(TM)t wear suits. We donâ(TM)t even own suits." - Steve
  
  --
  Non impediti ratione cogitationus.
6. Re:Lol, no... by carou · 2012-07-24 12:02 · Score: 1
  
  No you get your house raided by the cops lol :')
  Okay, who got his house raided by the cops (LOL or not) after he found a bug in any of Apple's products?
  And santax suddenly went quiet.
LolZ by SNAPPLEX · 2012-07-24 05:36 · Score: 2

A more open relationship with the hackers? LOL wt heck?
Maybe they have undercover cops by Cutting_Crew · 2012-07-24 05:49 · Score: 1

awaiting outside of the conference building just in case someone discovers a hack or hole in their operating system. Or maybe perhaps they feel guilty banning that guy that made them look a little bit like fools.
Possibly a simple reason... by HerculesMO · 2012-07-24 06:15 · Score: 1

Because now Apple is getting virii and they want to start expanding their recruitment to actually replace their "security through obscurity" model by implementing *real* security measures.
Up until less than a year ago, there was no security division that external parties could even contact to tell Apple about vulnerabilities.

--
The price is always right if someone else is paying.
1. Re:Possibly a simple reason... by Greguar · 2012-07-24 08:44 · Score: 1
  
  Because now Apple is getting virii and they want to start expanding their recruitment to actually replace their "security through obscurity" model by implementing *real* security measures.
  It's probably more about image damage-control after having a reasonable-sized botnet stroll in through the wide open door of complacency on one of their platforms.
  
  Up until less than a year ago, there was no security division that external parties could even contact to tell Apple about vulnerabilities.
  Apple's Product Security page, complete with contact information for reporting security issues, has publicly existed in its current location since at least November 2001.
Jodi by tepples · 2012-07-24 08:57 · Score: 1

Do you have a link for more information?
It involves Jodi Daugherty from Nintendo's anti-piracy department. (Yes, the same Jodi after whom the "Return of the Jodi" jailbreak is named.) Look at this page and this page and search them for "phone".
Fantasy by Flere+Imsaho · 2012-07-24 11:10 · Score: 1

Wouldn't it be great if when the apple guys walked on stage, the whole crown stood as one and booed them?

--
It gripped her hand gently. 'Regret is for humans,' it said.
Official and formal presence.. by fustakrakich · 2012-07-24 11:19 · Score: 1

As apposed to backdoor sponsorship? Makes for a nice trap. Like when Goldfinger got all the mafia guys into one room and gassed 'em.

--
“He’s not deformed, he’s just drunk!”
1. Re:Official and formal presence.. by 4phun · 2012-07-24 14:26 · Score: 1
  
  As apposed to backdoor sponsorship? Makes for a nice trap. Like when Goldfinger got all the mafia guys into one room and gassed 'em.
  In related news after Apple's earnings report, Apple in a conference call to investors this evening invited all of Slashdot's top posters to attend an all expenses Apple paid conference at the mogul retreat in Sun Valley, Idaho next Saturday.
Apple? by Anonymous Coward · 2012-07-24 12:08 · Score: 0

Was Apple attending or giving the presentation? Because everytime someone puts "Apple" and "security" in the same sentence, the world starts laughing.
Re:LOL by drkstr1 · 2012-07-24 19:07 · Score: 1

Spoken like a true script kiddy.

--
Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7