Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Two Black Hat Talks On Apple Security Cancelled

kdawson posted about 6 years ago | from the can't-say-that dept.

Security 125

An anonymous reader writes "Two separate Apple security talks have been nixed at the last minute from next week's Black Hat security conference in Las Vegas. The Washington Post's Security Fix blog reports that Apple researcher Charles Edge was to present on flaws in Apple's FileVault encryption plan, but asked Black Hat to cancel the talk, citing confidentiality agreements with Apple. Then on Friday, Apple pulled its security engineering team out of a planned public discussion on the company's security practices — which would have been a first for Apple. 'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

cancel ×

125 comments

Sorry! There are no comments related to the filter you selected.

Marketing? (5, Insightful)

KDR_11k (778916) | about 6 years ago | (#24455221)

Sounds like the marketing policy is "pretend there are no security issues". Hey, it seems to work.

Re:Marketing? (-1, Flamebait)

Anonymous Coward | about 6 years ago | (#24455259)

No, that would entail denying and not fixing nor releasing patches. But, Apple do that, you zealous troll.

Re:Marketing? (5, Insightful)

Bloodhound Alpha (1335331) | about 6 years ago | (#24455315)

The Marketing policy, not the company's policy. Obviously the company releases patches, but marketing, in relation to the public, pretends there are no issues. Quite a difference really.

Re:Marketing? (5, Insightful)

Goaway (82658) | about 6 years ago | (#24455979)

Apple is quiet about everything. This is not a case of Apple trying to cover up security problems, it's merely that Apple talkes about nothing, ever, and that includes security policies.

Re:Marketing? (5, Insightful)

Bloodhound Alpha (1335331) | about 6 years ago | (#24456639)

Indeed, that is their strategy. It does serve though, to cover up security problems, and get people used to them acting secretive because, well, they are secretive.

Re:Marketing? (3, Interesting)

ScrewMaster (602015) | about 6 years ago | (#24463479)

'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

I'd say it's more likely that legal got wind of it, not marketing.

Re:Marketing? (2)

alex4u2nv (869827) | about 6 years ago | (#24457035)

Its a very good practice to leave holes open for script kiddies.

--
Hide the problem until there's an avalanche in your face?

Re:Marketing? (1)

mjwx (966435) | about 6 years ago | (#24460891)

The Marketing policy, not the company's policy. Obviously the company releases patches, but marketing, in relation to the public, pretends there are no issues. Quite a difference really.

But all apple does is marketing, the entire company revolves around the impression it creates of its products not the product itself. Put simply, marketing policy is company policy.

Re:Marketing? (1)

Rakarra (112805) | about 6 years ago | (#24463381)

The Marketing policy, not the company's policy

You do not understand Apple. They are a marketing-driven company, to the extent that marketing makes the company decisions. You can't push anything through if they refuse to give their blessing.

Re:Marketing? (0)

Anonymous Coward | about 6 years ago | (#24455921)

Only when the stories are posted [slashdot.org] around the world? That too - just half assed [slashdot.org] ?

It's difficult to see what sucks more - company's ridiculous policies or it's fanbois.

Re:Marketing? (1)

BPPG (1181851) | about 6 years ago | (#24463507)

No, that would entail denying and not fixing nor releasing patches. But, Apple do that, you zealous troll.

Why deny something nobody is talking about? And it's not like the security team was going to reveal all of the latest 0 days, they would be talking about stuff like how they learn about 0 days, and their reaction time to exploits, their methods of implementing different patches, policies, priorities, etc;.

Re:Marketing? (5, Informative)

mikael_j (106439) | about 6 years ago | (#24455401)

Sounds like just about every large ISP I've had the "pleasure" of working with. A small ISP's president will go issue a press release saying "Lightning took out two of our DSLAMs last night but it will be fixed ASAP", they'll most likely also record an automated message informing customers calling tech support about this. A large ISP OTOH will most likely keep quiet as long as possible, then issue a small notice on their website stating "Some of our customers are currently experiencing technical difficulties, our intarweb experts are investigating the problem and hope to have it fixed soon" and no information to customers calling tech support other than "There are 173 customers ahead of you, the wait time is 2 hours and 12 minutes".

/Mikael

Re:Marketing? (0)

Anonymous Coward | about 6 years ago | (#24458399)

My dealings with AT&T have been better. They lost connectivity for my local area, and after I entered my phone number they notified me that it was a regional problem and would be fixed in the next 3 days. It was kind of annoying to know that they could only estimate 3 days when I lost both telephone and dsl service, but they fixed it within about 8 hours.

Re:Marketing? (1)

assassinator42 (844848) | about 6 years ago | (#24460165)

Are you talking about the outage in the Midwest at approximately 1 AM EDT Friday? I'd cite that as an example of an ISP not telling customers the cause of a problem. All I've heard is that it was a regional problem, probably caused by some problems with maintenance. I thought it might have something to do with patching the DNS servers which, according to DoxPara, were vulnerable for quite some time after the exploit surfaced but now appear not to be. They'll never tell us the cause, though.
Unless someone has some information I don't.

Re:Marketing? (1)

piltdownman84 (853358) | about 6 years ago | (#24459711)

Sounds like my ISP. They never except any blaim. A few months ago my Internet goes out. I call me brother 4 blocks away and his is down as well. I verify with a coworker that his Internet is down as well. I then call tech support wait on hold for thirty minutes. When I ask when Internet will be back in my area they claim everything is fine and try to talk me through the "check your modem, are you using a router? etc.." lines. After trying to explain that the problem isn't just me the tech insists that I unplug my router and do all their silly tests. The tech finally agrees to check for outages in my area is I first try all his tests. I reluctantly agree, and surprise surprise the person on the phone can't solve my problems by direct connecting my computer, unplugging and replugging everything. After all this the person on the phone tells me there isn't any reported outages in my area and I must be wrong. They offer to go through the unplugging and resetting again and if that didn't work they would schedule a tech to come out set me up. At that point I couldn't be polite anymore and said I couldn't waste any more of my time with them. I called my brother and his internet was still down and he had given up on his phone call as soon as they wanted him to test his hardware. My internet came back the next day, and now when my internet goes out I just go to the office if I really need it. Thank God for the lack of any competition.

Re:Marketing? (1)

catmistake (814204) | about 6 years ago | (#24455459)

well, not that I'm in love with it, but maybe its "we'll cross that bridge when we come to it."

Re:Marketing? (-1, Troll)

Anonymous Coward | about 6 years ago | (#24455471)

Shades of M$. When will the corporates ever learn?

Re:Marketing? (1, Insightful)

Achromatic1978 (916097) | about 6 years ago | (#24456929)

Shades of MS my ass. Cite, please: "last time MSFT pulled a security talk from a conference".

Idiot.

Re:Marketing? (0)

Anonymous Coward | about 6 years ago | (#24461777)

This is not a troll it is the truth. Someone cite when the last time MS did shite like this was.

Re:Marketing? (5, Interesting)

fortyonejb (1116789) | about 6 years ago | (#24455823)

It's somewhat of a sad fact that this has been considered as fair and normal practice in the industry. Maybe because no real "safety" issues can be dragged into the mess, people who are not in the know simply do not care.

Just to make sure i'm /. approved, lets use the highly venerated auto industry. When product issues come up, auto makers must make their shortcomings public, and even issue recalls to fix said problems.

Just because my PC doesn't explode when hit from the rear, doesn't mean the shortcomings are any less valid. While of course marketing does not want anyone to know anything bad could ever happen with a Mac, it would be better for the company and its clients to have a more open dialog. Pretending there are no holes does not fill them.

Re:Marketing? (3, Insightful)

billcopc (196330) | about 6 years ago | (#24455903)

When product issues come up, auto makers must make their shortcomings public

Um, no. Recalls are a business strategy like any other. The lawyers sit down with the accountants, figure out total costs for a recall and a class-action lawsuit, and pick the cheaper of the two.

You'd be shocked to find out how often the lawsuit actually ends up cheaper. That's largely because class-action settlements have a very narrow scope, and only a small portion of the customer base will actually join the class.

Re:Marketing? (3, Insightful)

porcupine8 (816071) | about 6 years ago | (#24460631)

The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?

Re:Marketing? (2, Funny)

Poltras (680608) | about 6 years ago | (#24462003)

The question is - do you know this to be true from personal industry experience, or are you just quoting Fight Club?

Damn, you forgot the first rule!

Re:Marketing? (0)

Anonymous Coward | about 6 years ago | (#24458145)

Just to make sure i'm /. approved, lets use the highly venerated auto industry. When product issues come up, auto makers must make their shortcomings public, and even issue recalls to fix said problems.

Only safety issues. Reliability problems are frequently buried or the affected customers are "bought off" to keep the issue secret.

Re:Marketing? (0)

Anonymous Coward | about 6 years ago | (#24455829)

Fools go bananas about apple BECOZ OMG IT SO SAEF!111

Re:Marketing? (2, Insightful)

falcon5768 (629591) | about 6 years ago | (#24455883)

Well the issue is from a marketing perspective it DOES look bad, but from USER perspective it looks good, but only to those of us in the industry who care, which is NOT who marketing is going after.

Re:Marketing? (2, Insightful)

Truekaiser (724672) | about 6 years ago | (#24456973)

thats because job's is a egomaniac. any flaw means there was a mistake and egomaniacs think they never make mistakes.

Re:Marketing? (1)

Leading Stoker (1338003) | about 6 years ago | (#24458987)

When will any of the computer companies understand: what isn't said is just as bad, as what is said?

Hello, Marketing and PR 101??

The very folks who know about security flaws, won't get much more insight in the "how and what", as they already did the probing to find out. But the general public can learn how a company really treats this aspect in their organization. End users r-e-a-l-l-y need to know that such companies do understand that security flaws aren't something to put on the backburner to fix, but to fix them ASAP. Too many wait to release them in the next patch (which could take months to roll out).

Then companies wonder why their slick marketing and PR doesn't help their sales? The sales won't come if a company is so arrogant to protect it's very users from it's own product!

Security? (0)

Anonymous Coward | about 6 years ago | (#24460399)

Apple Security? That seems like one of them there oxymorons, like Fiscal Conservative, or Republican Thought.

Anyone who knows anything knows Apple and Security don't even belong in the same language, much less sitting next to each other in a sentence.

Re:Marketing? (1)

Ilgaz (86384) | about 6 years ago | (#24463953)

With a community like this (yes, I use mac) it will work.

Of course the über trolls and PR on "other side" makes it worse and gives community the much needed false trust. You figure out a very evil security breach on OS X, it has been verified by Apple too but... You give the job to PR team and they come up with "Mp3 virus!!!" stupidness.

How would people trust your alerts (most of are real) later? Or DOS'ing people's default browser via jp2 exploit just to show off? Anyway, I just say we need a really working, mac focused heuristic security solution without stupid PR before OS X/Mac marketshare hits 20%.

Apple Security (0)

Anonymous Coward | about 6 years ago | (#24455231)

1. Cancel Security Talks
2. ???
3. Profit!

Re:Apple Security (1)

PC and Sony Fanboy (1248258) | about 6 years ago | (#24455413)

Profit only goes to the black hat accepting money to shut up, so apple doesn't have to fix things right now.

Re:Apple Security (1)

dangitman (862676) | about 6 years ago | (#24455693)

It's Apple. Shouldn't that be:

  1. Profit!
  2. ???
  3. There is no step three.

Re:Apple Security (1)

aliquis (678370) | about 6 years ago | (#24456029)

Unless:

1. Profit!
2. Steve Jobs quit/dies/..
3. ???

Personally I'd be happy with:
1. Flash dies (if not possible Adobe release better flash version for macs.)
2. Apple "get" gaming.
3. Apple sell hardware for a decent price.
4. Apple sell well-speced machines.
5. Apple focus on OS X and not lots of other bullshit.

But maybe that's just me ;)

If nothing of the above would be possible (and it's not very likely to happen) this would work to:
1. The free software desktops gets some commercial quality software in all genres.
2. Nah, I'm done.

glowbull warmongering nazis' 'free ride' cancelled (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#24455261)

the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
http://biz.yahoo.com/ap/080708/cheney_climate.html

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

Re:glowbull warmongering nazis' 'free ride' cancel (0, Offtopic)

B4light (1144317) | about 6 years ago | (#24455267)

tl;dr

Sounds very logic to me. (4, Insightful)

Anonymous Coward | about 6 years ago | (#24455265)

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.
A self-acclaimed public spokesperson respresenting your company about a subject without prior permission?

You must be a veteran here but new on the job market.

Re:Sounds very logic to me. (4, Insightful)

vertinox (846076) | about 6 years ago | (#24455499)

From a managements and sharehold perspective I think it's quite normal and understandable of Apple creating such a policy.

For a term holder then yes, but if you are a long term, then bad PR like this isn't desirable for company image over the course of several years.

Besides, just because you don't disclose the exploit, doesn't mean it goes away.

Re:Sounds very logic to me. (0, Troll)

timmarhy (659436) | about 6 years ago | (#24455575)

as apposed to an exploit (which apple ignores or doesn't look into) turning into the equivalent of the code red worm? brilliant PR work there son.

Re:Sounds very logic to me. (5, Insightful)

lostmongoose (1094523) | about 6 years ago | (#24455577)

The problem is not that they need permission. The problem is that they need permission from *marketing*. This should be the legal team's job. When you let marketing make these decisions, management (not the engineers, obviously) have effectively said "There are no flaws in our product and if you say there are then we're wrong and we all know we're never wrong."

Re:Sounds very logic to me. (0, Troll)

vague disclaimer (861154) | about 6 years ago | (#24457723)

**The problem is that they need permission from *marketing*.**

And the evidence that this is the case? The word of some "spokesman" for Black Hat.

Right. That's me convinced!

Marketing == American lawyers (-1, Troll)

unity100 (970058) | about 6 years ago | (#24455271)

if we kill those marketing people, the world is going to be a much better place. preferred method should be beating to death by a stick.

of course, thats excluding nycl from the lawyers list.

Re:Marketing == American lawyers (2, Funny)

MyLongNickName (822545) | about 6 years ago | (#24455409)

preferred method should be beating to death by a stick.
My guess is you lack the upper body strength to pick up a stick.

Re:Marketing == American lawyers (1)

Macthorpe (960048) | about 6 years ago | (#24456583)

And the brainpower to work out which end of the stick to hit someone with...

Bill Hicks On Marketing (1)

conner_bw (120497) | about 6 years ago | (#24455505)

R.I.P. [youtube.com]

too scared (1)

sylverboss (846288) | about 6 years ago | (#24455279)

Again, this is the perfect example of not admitting that there is a "problem" and willing to fix it ... SB

Shhh, if we don't admit anything (2, Insightful)

CrypticSpawn (719164) | about 6 years ago | (#24455283)

I guess, Apple is still very much old school; when it comes to admitting their mistakes. Or they just might believe in security thru obscurity. Either way this move, put them in the lime light even more. Great work marketing. Someone deserves to be fired...

Re:Shhh, if we don't admit anything (3, Funny)

Sancho (17056) | about 6 years ago | (#24457311)

I wish there was an "incomprehensible grammar" mod....

Summary of second pulled talk (-1, Troll)

Anonymous Coward | about 6 years ago | (#24455335)

It's evident now: "Security by obscurity".

Perceived security through obscurity (0)

Anonymous Coward | about 6 years ago | (#24455379)

...it sounds like. That's "(perceived security) through obscurity", not "perceived (security through obscurity)". Well, mabye that too.

definately MS's doing (0, Troll)

timmarhy (659436) | about 6 years ago | (#24455433)

i don't know how, but this is definitely MS's fault. those sneaky pricks at MS have found a way to force apple into using their patented security model.

Re:definately MS's doing (0)

Anonymous Coward | about 6 years ago | (#24456005)

Yeah, because Apple and MS are sooo different. MS is the evil proprietary company, while Apple is just sunshine, open source and ponies.

Re:definately MS's doing (2, Interesting)

Tom90deg (1190691) | about 6 years ago | (#24456385)

Well, of course! Apple is the underdog. Never mind the fact that is has the number one selling music player, and the market share is increasing, and that iTunes is extremely popular, and people are killing others for a iPhone...

Oh wait. Maybe Apple ISN'T the underdog. Maybe its practices are just the same as any other large company that wants to make a profit. It's no different from any others in that respect, in fact, it may be worse, as people excuse Apple for a lot, as they still think of it as the underdog.

wtf you guys talking about? (-1, Troll)

Anonymous Coward | about 6 years ago | (#24455453)

you would want exploits in your system known. say your running a bunch of servers or selling a software product, would you like people to know how to make you lose time/money?

sarcasm > bash

Re:wtf you guys talking about? (-1, Troll)

Anonymous Coward | about 6 years ago | (#24455557)

why do you only say this shit when it's apple, and not when it's linux or microsoft? very very gay of you.

Re:wtf you guys talking about? (1)

KDR_11k (778916) | about 6 years ago | (#24456021)

It takes only one bad guy to figure that out by himself and you'll get owned, you have to know the exploit yourself to know what measures could be taken to prevent it.

Steve is not impressed (4, Interesting)

bxwatso (1059160) | about 6 years ago | (#24455641)

This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this.

I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much.

Re:Steve is not impressed (2, Interesting)

eclectic4 (665330) | about 6 years ago | (#24456051)

"This must be bitter sweet for Steve B., since Apple likes to tout that it's software is more secure than Vista. I wonder if Walt Mossberg is taking note of this."

Why? I didn't read anywhere in this article that stated Mac OS X is less secure than Windows... as it would be just plain silly.

"I think Steve J.'s brand of evil is about the same as MS's, but because they are perceived as underdogs, people don't care as much."

You may be right. But it doesn't change the fact that more and more consumers are simply realizing that Apple sucks less than Microsoft in almost every area. But, I can only assume that's what you meant would be the benefit of people "perceiving" Apple as underdogs, as you also didn't state this. Suggesting that being perceived as underdogs would increase sales is, well... also very silly.

Re:Steve is not impressed (3, Interesting)

bxwatso (1059160) | about 6 years ago | (#24456261)

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS. In that regard, MS is more proactive. Personally, I find both OS's acceptable regarding security.

I do think that a lot of people are turned off by the size of MS more than the quality of its products. A lot of people want something different to express themselves. Even when Apple truly sucked (and it did), a fair number of people stuck with them presumably to distance themselves from the giant and evil MS.

Re:Steve is not impressed (4, Insightful)

Smurf (7981) | about 6 years ago | (#24459817)

My points were that if Apple is really more secure than Vista, Apple would welcome a thorough investigation of its OS.

Probably. But do take into account that the engineers (i.e., the people who actually KNOW the technical details) WANTED to have the discussion.

The decision to cancel it came from marketing, those who don't understand the technical details but are reasonably afraid that someone might pull a rabbit from their hat and make Macs look bad.

Re:Steve is not impressed (1)

WNight (23683) | about 6 years ago | (#24462935)

Yes, that is the knee-jerk reaction you'd expect from marketing.

The problem is that it's overriding Engineering's attempts to actually improve the product.

Maybe someone should be afraid that a hacker WILL pull a rabbit from his hat, and use it to demonstrate the flaws of their security model. A code-red level worm, now, would be a huge market killer.

Re:Steve is not impressed (2, Interesting)

porcupine8 (816071) | about 6 years ago | (#24460669)

Not necessarily - if they are more secure than Vista, but less secure than the current public perception, then why would they want to bring public perception of their security down, even if it's still higher than Vista?

Re:Steve is not impressed (1)

Serious Callers Only (1022605) | about 6 years ago | (#24462929)

I do think that a lot of people are turned off by the size of MS more than the quality of its products.

Or maybe it's their mediocre products and utter disregard for their customers and partners that turns people off?

Re:Steve is not impressed (2, Funny)

azav (469988) | about 6 years ago | (#24456485)

You are absolutely correct. It still sucks, it just sucks less.

I remember the Apple internal code name for their sound manager in or around 1989. It was called Barking Pumpkin and their motto was "it just sucks less."

Re:Steve is not impressed (0)

Anonymous Coward | about 6 years ago | (#24456075)

So because Apple isn't giving a security talk, their software is somehow less secure than Vista?

Yeah, that makes sense.

You failr1 it (-1)

Anonymous Coward | about 6 years ago | (#24455643)

Who are intersted users. BSD/OS core team. ThAey empire in decline,

Apple Marketing is the "best". (3, Interesting)

Anonymous Coward | about 6 years ago | (#24455703)

Apple's marketing is genius.

A few years back, they were talking up how FileVault (home folder encryption) uses AES-128 encryption, implying that it would take longer to crack than the age of the universe.
http://www.apple.com/sg/macosx/features/filevault/

Meanwhile, the password could often be found in plain text on the hard drive in swap files. This was back before encrypting swap was an option.

It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/

I guess the default account having root access is sort of an industry standard given Windows. Phrases like "wise architectural decisions" are relative, so not strictly false. I won't touch "intelligent design".

But saying, and I quote, "The Mac OS X administrator account, unlike the Windows admin account, disables access to the core functions of the operating system." is an outright lie (see above "root privilege escalation feature").

Re:Apple Marketing is the "best". (1)

Dog-Cow (21281) | about 6 years ago | (#24456439)

I've always been prompted for my password when performing admin actions under OS X.

Re:Apple Marketing is the "best". (0)

Anonymous Coward | about 6 years ago | (#24456521)

Trust me, if you are logged in using the out of the box default account which is admin, asking for your password is done merely a courtesy.

Re:Apple Marketing is the "best". (1)

the 99th penguin (1453) | about 6 years ago | (#24459627)

It's also funny how a company that sells itself as secure has root privilege escalation without a password as a feature out of the box.
http://www.apple.com/sg/macosx/features/security/ [apple.com]

I can't see that anywhere in the link you're citing, could you please point out where it says that? To have a proper discussion about things we need facts not unfounded accusations. I don't have any problem believing Apple might have done something like that but I need a proper link.

Re:Apple Marketing is the "best". (0)

Anonymous Coward | about 6 years ago | (#24460523)

The link is poorly placed and points out Apple's claims, and not the vulnerability which is very old and very well known.

Here is a recent but overcomplicated "how to" for abusing the built-in feature that allows you to Get Root on 10.5.4 [rixstep.com]

There are still some Apple-related talks left: (2, Informative)

secmartin (1336705) | about 6 years ago | (#24455925)

While it's pretty sad to hear that their security team is not allowed to speak, there are still two talks about Apple products left: Jesse Dâ(TM)Aguannoâ(TM)s talk about rootkits for OS X, and Petko D. Petkov who announced he might provide some details about a 0-day attack against Quicktime.

I haven't been fucked like that since the NextCube (4, Funny)

billcopc (196330) | about 6 years ago | (#24455967)

Rule #1: You do not talk about Apple flaws
Rule #2: You DO NOT talk about Apple flaws
Rule #3: If someone says "stop" or goes limp, taps out we make him the CEO
Rule #4: Only two sentences to an argument
Rule #5: One argument at a time
Rule #6: No punch, no daiquiris
Rule #7: Cover-ups will go on as long as they have to
Rule #8: If this is your first night at Apple flaws, you HAVE to swallow

Re:I haven't been fucked like that since the NextC (1)

haggus71 (1051238) | about 6 years ago | (#24456495)

This is Jobs. Jobs has bitch-tits.

Re:I haven't been fucked like that since the NextC (0)

Anonymous Coward | about 6 years ago | (#24457203)

Rule #8: If this is your first night at Apple flaws, you HAVE to swallow

Rule #34: There's an iPod silhouette poster of it. No exceptions.
Rule #35: If there isn't an iPod silhouette of it, Jobs will make an iPod silhouette advertisement of it.

(MOAR!)

Color blind (0, Troll)

iMac Were (911261) | about 6 years ago | (#24455993)

All the mac uses I know have brown hats [urbandictionary.com] , not black ones.

It just doesn't surprise me... (1, Interesting)

Anonymous Coward | about 6 years ago | (#24456083)

I doesn't surprise me Apple's marketing team doesn't allow comment on practices, fixes or developments... they don't even get back to the people finding issues like Jon Longoria on the Spaces theoretical vulnerability. I emailed him to see if he had gotten comment and was told noone would talk with him to discuss the problem or attempt a fix. RE: http://thereformed.org/2008/05/03/theory-apple-osx-spaces-vulnerable/ . I don't really get wtf is wrong with Apple, I think they're locking up under the strain of their evolving popularity. Apple, you've actually broken into the real industry and not the hobbyist, its time to put your pants on and get open about your problems and what you're doing to fix them!

Not Surprised (2, Interesting)

Anonymous Coward | about 6 years ago | (#24456371)

I'm not surprised really to see a corporation sponsored "Hacker" conference have talks canceled due to confidentiality agreements.

I've yet to hear a real hacker conference have their talks canceled due to something like that. Normally cancellations involve the speaker being escorted out in handcuffs.

But honestly there are far better, and more hacker-centric conferences out there than Black Hat. Conferences that come to mind are Chaos Communications Camp (or Chaos Communications Congress in the winter), Defcon, and even H.O.P.E. are far better choices than Black Hat.

There are more conferences out there that have the same "hacker spirit" but aren't as hard-core like NotaCon which has more of a social atmosphere to it.

But I digress, plan to see more of these types of cancellations at Black Hat in the future since the corporations just are looking for another excuse to line their pockets with more money. The fees for this Conference are astronomical, anywhere between $1300.00 to $5000.00 PER TALK compared to The Last H.O.P.E. where the price was ~$80.00 total as in you pay $80.00 and you get to go to EVERYTHING.

-VK

Here's a serious flaw with FileVault (3, Interesting)

azav (469988) | about 6 years ago | (#24456433)

1. Create two accounts on your mac. One is a throaway with fileVault turned on.
2. Log in to both and switch to your non FileVault account.
3. Copy a large enough chunk of data to the drop box of the FileVault user so that you will ALMOST fill up the boot drive.
4. Duplicate that data to another folder on your boot drive.
5. Wait till the hard drive fills up and you have 0 K on the drive.
6. Launch Safari and load a few web pages with lots of rotating ads. This is to guarantee that more data is being brought onto the hard drive.

At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.

Re:Here's a serious flaw with FileVault (0)

Anonymous Coward | about 6 years ago | (#24456709)

I've never even used OSX, but I have to believe that you missed a couple of steps in your repro. Someone in there, there MUST be a couple of "ignore low space warning messages, click 'cancel'" or something equivalent. Probably at least around steps 4 and 5. If it does warn and the user continues, it seems they would be in an unsupportable environment anyway. If it doesn't warn about space (and I can't believe it wouldn't; from everything I hear about it - it is well designed), then it would be time to get a different OS.

Re:Here's a serious flaw with FileVault (2)

lukas84 (912874) | about 6 years ago | (#24457667)

As i understood it, one user can fuck up another users account, without the need for administrative privileges.

This *is* an issue.

Re:Here's a serious flaw with FileVault (-1, Flamebait)

E IS mC(Square) (721736) | about 6 years ago | (#24456731)

At some point, the FileVault account becomes corrupted. You can't log in to it, you can't recover it. It's gone.

But that's a feature. Ask any Apple fanboy.

Solution: (2, Informative)

e4g4 (533831) | about 6 years ago | (#24459569)

chmod go-w ~/Public/Drop\ Box

Admittedly - it is a problem, but it certainly has a workaround.

Re:Here's a serious flaw with FileVault (0)

Anonymous Coward | about 6 years ago | (#24461833)

I haven't tried that, but can believe it, certainly for systems prior to 10.4.7. Have you demonstrated this behavior on a system later than 10.4.7?

I've seen a few Filevault instances become corrupt. Apple appears not to have thoroughly considered the implications of its Filevault implementation, or at least didn't consider it very carefully prior to OS X 10.4.7.

The way Filevault (roughly) works is that the AES encrypted content is stored on a sparse disk image with the key for those data encrypted through 3DES (that is in turn unlocked by your account password). The problem, or one of the problems, is that prior to OS X 10.4.7 the AES key was stored at the end of the disk image. When data are added to such an image, where the added data require the actual space used by the image be enlarged, the key must be logically moved to accommodate the operation. Then if something goes wrong at just the wrong moment, there is a possibility the key may be nuked. Since it's presently impractical to brute force a 128-bit AES key, and assuming you can't find a copy of that key in a backup or hidden away somewhere in the disused space on your drive, then your data are as good as gone. Moving the key is bad.

The workarounds are two fold:
First, if you're running OS X 10.3 or any system prior to 10.4.7, upgrade to OS X 10.4 or 10.5, then patch it to the latest release -- beyond 10.4.7! Then disable Filevault and re-enable it. Doing so will re-encrypt the data so you get an image in the later version of the Filevault that puts the headers at the front of the image.

Second, immediately after you create a new Filevault instance or an encrypted disk image, make a copy of the image before you add any data. Make a copy of any existing encrypted sparse images if they were created on a version of OS X prior to 10.4.7. Then, if need be, use the copy to recover the AES key when the image is corrupted.

NOTE: Prior to 10.4.7 the key was kept in roughly the last 4KB of the file and end with the string "cdsaencr". On modern encrypted images it's at the front of the image and the key begins with "encrcdsa".

Either way, if the key gets corrupted the entire image is hosed so it's a good idea to keep a copy of the key someplace else.

Have you tried this with OS X 10.4.7? (0)

Anonymous Coward | about 6 years ago | (#24462359)

I'm curious if this works with Filevault accounts created under OS X 10.4.7 or later versions of OS X?

10.4.7 changed the way the AES key is stored. Before it was at the end of the Filevault disk image, which meant the key would have to be rewritten when the disk image expanded, which meant there was a dangerously high probability it might not be saved back correctly, thus rendering the image unusable. Since 10.4.7 it has been at the beginning of the disk image, so it never needs to be rewritten.

If the problem the parent described was due to the (encrypted) AES key not being rewritten, then 10.4.7 should have fixed it.

Apple doe NOT get brownie points for how it originally chose to store the key, among other Filevault design deficiencies. {insert frowny face here}

Please let us know...

The sad thing is (5, Insightful)

ILongForDarkness (1134931) | about 6 years ago | (#24456571)

Apple makes pretty good products. But in some ways their business practices are worse than Microsofts. They are so secretive that it is scary. They add to it by attacking the PC industry and saying how their product is better but all they will give you for information is press releases. At least MS is finally being more open with want is going on in the background with things like Channel 9 and versus blogs. There is a line where you have to protect company interests but it shouldn't compromise the customers' ability to make an informed choice.

Re:The sad thing is (0)

Anonymous Coward | about 6 years ago | (#24457213)

What gave Apple life was FreeBSD. What made it irrelevant in the past will continue to in the future. Apple will self destruct just by it's mentality.

Re:The sad thing is (0, Flamebait)

Anonymous Coward | about 6 years ago | (#24458933)

apple is dependent on the consumer's lack of ability to make an informed choice.

Re:The sad thing is (2, Insightful)

ScrewMaster (602015) | about 6 years ago | (#24463531)

I'd say it's more like Apple is dependent upon the consumers in their chosen market segment being (to a certain degree) computer illiterate. And let's face it, computer illiterates aren't likely to make an informed choice when it comes to buying a computer or choosing an OS. All they can do is follow marketing fluff about simplicity and ease-of-use.

Now, that's no dig at Apple's products ... by and large they deliver on what their market-droids promise. It's just that Apple made the conscious choice to target people who are often really too stupid to use a computer.

Perception is that Apple is lax on security (1)

synthespian (563437) | about 6 years ago | (#24457795)

'Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,' a Black Hat spokesman said."

Then Apple marketing people aren't very smart, are they? Because it sure isn't helping the perception that Apple is lax on security.

Re:Perception is that Apple is lax on security (1)

mjwx (966435) | about 6 years ago | (#24460979)

Then Apple marketing people aren't very smart, are they? Because it sure isn't helping the perception that Apple is lax on security.

On the contrary,

Apple has always been like this, OS X has always practised security through obscurity and used takedown orders and NDA's to hide flaws. The simple fact that people are only just beginning to see this is proof of the great job that Apple marketing has been doing. As always it's impossible to carry on a lie forever.

Reality Distortion (0)

Anonymous Coward | about 6 years ago | (#24458917)

Apple reality distortion has been been going on since the Apple ][ days, lying about sales, and popularity "We're #1" (Behind Radio Shack and Commodore...) Saying less is better (more flexible! just add bunches of cards), etc.

Such current ones I note are: the bolstering of 'intuitive' and 'just works' Those are actually brought over from old MacOS days. OSX may be prettier but the UI guidelines for intuitive behavior deied with Mail and AddressBook, and printer management. Just works only applies to mac-to-mac when networking, try to do Linux or Windows Servers and your milage may vary.

Also with the change from AppleWorks to iWork take a chunk out of compatibility too (AppleWorks at least had a Windows version).

We've been using Macs here since the floppy-only Plus and SE and there was quite a usability hit with OSX - maybe networking has improved (SMB) but application,usability and interfaces became really confused.

Worry about Apple, people may be jumping from Windows for one reason or another to easily soon end up with similar lock-in on the Mac. We will still use Macs here, as they are initially more secure then Windows and easy to use but I tread carefully not to employ dead-end applications like iWork and lock us into only Macs.

Re:Reality Distortion (1)

argent (18001) | about 6 years ago | (#24460499)

Intuitive? It's still light years ahead of Windows and Gnome/LDE.

Just works? That was always bullshit. Mac OS classic never "just worked", Mac OS classic was *shit*. What it had was that it was all very simple, and the ways it went together were very simple, so you could fix it when it broke without being any kind of geek. OS X, now, that's pretty damn close to "just works".

Printers? I'm still having problems getting Windows to handle printers at work. They just show up on OS X.

Don't lock yourself into dead end applications. And that includes Microsoft Office, which gets changed incompatibly every time a new version comes out. The applications I most depend on are the ones I have the source code to, and some of them are the same ones I was using almost 30 years ago.

Marketing Rules (1)

Nom du Keyboard (633989) | about 6 years ago | (#24459177)

Obviously Marketing rules at Apple. And you're surprised -- why?

One day in Vegas (1, Funny)

EEPROMS (889169) | about 6 years ago | (#24459183)

Hacker "Hai dude your OS is insecure"
Apple "No, it is perfectly secure"
Hacker" Seriously, duuuude, watch me hack your machine"
Apple "Can't be done, our software was blesses by the gods of Steve"
Hacker" Duude, Im not kidding Im in your machine, watch as I buy some child porn with your credit card"
Apple "Ha, all a figment of your imagination, our marketing department says we have the best operating system in existence"
FBI "excuse me sir I would like to talk to you regarding the purchase of illicit child porn"
Apple [while being dragged away] "I can assure you this has nothing to do with our operating system "
Hacker "hmm bummer, did that fed have a macbook, he looks like an anal sex type of guy to me heh"
[clickety clickety]

Misalignment with Snow Leopard (1)

jjgm (663044) | about 6 years ago | (#24459701)

This is a stumbling block on Apple's road to the enterprise. That's out of alignment with the technology plan for Snow Leopard server, which includes many new features [apple.com] directly aimed at supporting the mid-sized enterprise.

Combine that with the general trend towards browser-as-client, and with the advent of VMware Fusion and Parallels, and at a time when there's no compelling case to deploy Vista during a desktop refresh. Apple have significant position to attack the enterprise desktop & backend.

However: transparency, rapid response, and disclosure rule the day with competent corporate security teams and this kind of a malarky just won't wash with my guys.

marketing policy or marketing police? (0)

Anonymous Coward | about 6 years ago | (#24460655)

Hallo, zis is Herr Flick of ze Gestapo, you are not allowed to speak publicly about security matters of the Reich. You may kiss me now Helga.

Here's what's wrong with FileVault: (0)

Anonymous Coward | about 6 years ago | (#24460671)

1. It only encrypts home directory; /tmp, /var/log, and what have you are still unencrypted

2. Turning on FileVault doesn't automatically enable encrypted SWAP (minor problem, as it is easily addressed)

3. When computer goes into safe sleep, contents of RAM are written to disk - the key is in plain text!

4. Volume Key is unlocked from log in password. This is massively inconvenient, as I would like to have the crypto well protected, but my user account - not so much. So I wound up having a 30 character login password.

5. MOST DISCONCERTING: The Volume key is actually encrypted using the login password. This is common cryptographic practice, as it allows for password changes and more cryptographically secure keys for disk encryption. However, the encryption used on the volume key is 3DES, with effective key length of 112 bits. This significantly reduces the key space (from 128 bit AES used on FileVault) .

Later versions of FileVault can also use 1024bit RSA to encrypt the volume key. In this case, the cryptographic strength is ~80bits.

You don't know the power of the Marketing Force! (1)

stmok (1331127) | about 6 years ago | (#24463057)

Hackers: We're gonna present security issues with Apple solutions at the Black Hat Conference in Vegas! Its going to be great!

Apple Marketing: *Waves hand*...There are no security issues with Apple products.

Hackers: There are no security issues with Apple products.

Apple Marketing: You will withdraw your presentations.

Hackers: We will withdraw our presentations.

Apple Marketing: You want to be in Apple's "PC and Mac" TV ads.

Hackers: We want to be...No we don't!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>