Apple is right on security...shut up

[mi5moav]

I am so confused about how everyone bashes apple about not fessing up about problems that may or may not have been discovered with security issues. Why the heck would any company discloses flaws, weaknesses or any kind of security breaches in their software to the public or even private sector. That is worse than myself going out to the local papers and saying someone has found a security issue with my home or business. Here are the places theifs, bandits, burglars, rapists and muggers can enter. What the F#$*!!! I don't get it. When do you ever hear a bank say well at 8:14 am our alarms reset so we are vulnerable at that time. NO!!!! you keep things like that a secret. If, a neighbor or someone believes he has found something that may lead to a breach in my well being or those or anyone(the sidewalk in front of my house is coming up) He let's me know in private, allowing me to fix it or leave it. A good citizen does not run out to the public and say, Hey everyone, John's sidewalk is looking bad anyone that walks by his house and trips on it could get some good money from a lawsuit. God Dam!!! I have never been so upset. If everyone would shut up about what flaws are out there, the chance that malicious individuals could actually take advantage would be way down. So, apple is told of a security breach they look it over and decide on their own. They then secretly send code out to patch it. They need not tell us what is being patched, it is for our good... they won't send out something that makes matters worse. They should not need to divulge what the flaws where involved...patch them if they think that it will cost someone their lives and shut up. I am so sick of this and I think this has been handled wrong from the start. In 18 years of using the mac the only security I have ever encountered with the mac is someone giving out their password to people to gain access.

 

[Salvo]

If someone noticed that the Front door of my House could be opened with a Toothpick, and told me, I would fix it straight away. If I owned rental properties and one of my Tenants told me that the doors could be opened with toothpicks, I'd have a Locksmith out there fixing the locks as soon as they hung up the phone.
The Security Issues I think you are referring to, have been known by Apple since Late February (at the Latest) and Still hadn't been fixed in Early May. The Good Samaritan who discovered one of these flaws (lixlpixel) was discussing them in a Technical Forum, and others in the Forum believed that the flaws should be made public.
Shortly afterwards it was discovered that Related Flaws existed (which still haven't been completely Solved). These more serious flaws would not have been discovered without Open Community Discussion, just like what we're doing here.
While I don't agree with the White Hat Hackers notifying the Public (and potentially and Black Hat Hackers) about the problems, I agree even less with Apple not doing anything about it Immediately. Technically, these flaws were much more serious than anything in any Version of Windows, and since MacOS X has a reputation for Security, it was absolutely shocking!
The reason why everyone is Bashing Apple is because they didn't react to the Announcement of the flaw quickly enough.
What if a Black Hat Hacker discovered the flaw independently to lixlpixel? Almost any web page, web forum or even an email could do major damage to a Mac Users data. Embed the Exploit in MacOSX.com and Whammo! Everyone here (except those who haven't switched yet) will loose everything in their Home Folder! If you don't believe, me visit This Site on the Apple Support Pages. (yes this page is actually on the Apple Website, and if clicked and left the link alone for too long (opened it on a New Tab in the Background, for example), you'll have a Compromised Computer System.)
Moderators feel free to Edit this Post.
Daniel.

 

[mi5moav]

Yes, if someone noticed that my front door could be unlocked with a toothpick then they would tell me. But they need not tell the neighbors and the neighbors do not need to get into a discussion about all the other flaws about the house that could be compromised. Heck, if I'm a burglar I'm going to sit in on these "open forums" and listen to my little hearts content. It's natural selection, we do not need to tell the dodo that you are an idiot and unless you learn to fly you'll be extinct soon. Apple did not feel that the issue would be compromised, and they were right... first off I have not proof that the individual even went to the right channels or pursued the issue more then 3 times before bringing it public. Again, if I tell Bush that he needs to put a lock on the second floor window of the white house and he doesn't listen fine. He doesn't believe that anyone is in jeopardy. So, for 6 months they were able to concentrate efforts and money on other issues... and nothing happened. My house is going to blow up if I don't fix my ac, today... I don't want to, I don't have the money. But I fix it 6 months later for less money, when I have the time and no one is the worse for wear. Security issues do not need to be in open forums... Every individual must be accounted for since supposed critical information is being passed. If you can not guarantee me that every bit of information will not be leaked to the public I don't want you talking about any security issues on my house or business.

And if I leave my front door open to catch the thiefs in action I won't have to worry about locking my door again. But if i warn the thiefs before hand then I'll never have a chance and must continue to hide my head in the sand.

 

[Salvo]

But your Door being unlocked by a Toothpick doesn't effect your Neighbors house. If Everyone in your Block of Flats had Dodgy front door locks, and one person discovered it, I'd expect that person to tell everyone in the Block, so that everyone can make sure it was fixed. If that one person discovered it, and sent a letter to the Body Corporate, suggesting that locks be Replaced as soon as possible, and the Body Corporate did nothing for 2 months, not even acknowledge the problem, I'd definitely expect the initial discoverer to tell me, so I can install a Dead-Bolt, a Security Chain or replace the lock myself.

WRT Catching the Thieves in Action, That would require an Eternal Vigil at every persons front door. One moments Lapse in Concentration and the next thing you know your Flat has been cleaned out/ Your Data has been erased. And if you warn the Thieves beforehand, they probably wont bother with your place, and concentrate on the Housing Commission (read Housing Project or Housing Estate in US or UK) Flats down the road, where there are more Targets and they are less secure (Windows Worms).

It's not hard to keep a system more secure than Windows. Apple shouldn't have these delays with Security Fixes. They should be on Software Update within a week of the Exploit being discovered. Reminds me of the Saying "You don't have to run faster than the Hungry Bear, just faster than the other Guy"

 

[mi5moav]

So, if the empire state building or sears tower had a security issue that joe the pixie hacker should tell the NY times so, that every burglar in Chicago or NY could go in? No, he wanted attention... supposedly he told apple 3 months ago...Is this 100% fact? No, he didn't get recognition from Apple. Joe, you are the greatest you found a flaw kthank you so, much we are going to give you 100 million and a carbon fiber sea kayak. I would rather have false security and believe my home was 100 percent fireproof, then have 5000 hackers lighting matches under it to see if it was/wasn't.

 

[jocknerd]

So, if the empire state building or sears tower had a security issue that joe the pixie hacker should tell the NY times so, that every burglar in Chicago or NY could go in? No, he wanted attention... supposedly he told apple 3 months ago...Is this 100% fact? No, he didn't get recognition from Apple. Joe, you are the greatest you found a flaw kthank you so, much we are going to give you 100 million and a carbon fiber sea kayak. I would rather have false security and believe my home was 100 percent fireproof, then have 5000 hackers lighting matches under it to see if it was/wasn't.

Security through obscurity

 

[mi5moav]

No, microsofts theory is let everyone in the world know that you have flaws so that they can be exploited. Apple's is shut up and don't tell the world until after they are fixed. They have it right and everyone is trying to make them more like Microsoft. I don't want Apple telling the world all the weakness that my computer system has... They shut up, the try to keep the utmost confidentiality between my computer and the outside world... they are a closed system... that's what I want, that's what I need. I want to live in a box without windows as I have since 78 and Apple Basic.

 

[Salvo]

Actually, Security Through Obscurity used to be Microsoft's policy during the Rise of NT. They actually had Marketing Campaigns about how NT was secure because it was "New Technology", and "Hackers" (crackers) didn't know how to get into it. This was about the same time as some kids I knew were Cracking their Teachers NT systems and getting hold of Exam Questions.
Microsoft don't advertise flaws in their system. Most of the Flaws which have been exploited by recent Windows Worms had Patches which could have been installed by the User, if they had known about them. There is no public record of what the patches fix, but Black Hat Crackers still manage to find out.
I make sure all my Clients who use Windows run Windows Update Weekly, and none of those who have followed my advice have been affected by a Worm yet. (just lots and lots of Spyware).

Apple don't advertise flaws in their systems to End-Users either, but Software Update exists so they don't have to.
This doesn't mean that they keep quiet about security problems, however. People who are Paranoid about security on their Mac can subscribe to Mailing lists and find detailed information on what an Update will do to their system, if they wish. Apple just don't show this information to everyone, since not everyone wants to know that;

HelpViewer: Fixes CAN-2004-0486 to ensure that HelpViewer will only process scripts that it initiated. Credit to lixlpixel <me@lixlpixel.com> for reporting this issue.

They're quite happy to only know that the update fixes something which was broken with HelpViewer.

Finally, if you want to live in a box without windows, and not have to worry about 5000 Hackers lighting matches, disconnect from the Internet. It's the only way you can safely say that you don't have any Internet Vulnerabilities on your computer. If you don't agree with this opinion, sell your mac and Start using the only 100% Closed Consumer Operating System currently available; Windows XP.

 

[mi5moav]

Hello, the entire post is about how I agree with Apple's security initiatives and how I don't want others like you telling Apple to change. They have done a wonderful job. Like I said before I think they should keep a tight lip, like they have done all these years and the only thing I need worry about is giving out my passwords. You my sir live in a Windows world I am deeply rooted with Apple's closed system and love it.

 

[Salvo]

No, I haven't used Windows as my Main Computer for almost 5 years. I live in an OpenSource World, a World which Apple Computer are relying on for most of their Security updates. Apple Patches for Vulnerabilities in Samba, SSH and even Kerberos have been provided to Apple Computer from Open Source Software Maintainers.

I support people who use Windows Computers, (they need all the support they can get), but don't actually use one myself. The only reason I would have Windows Box is for Testing.
My other two computers (beside my iBook) are a Debian GNU/Linux Box and a BeOS/OpenBeOS box. Much of the software I use is OpenSource, and therefore security is dictated by the OpenSource Security Model. If you don't want an OpenSource Security Model on your computer, so the following:

• Abandon Safari, Camino and Firefox. They all use either khtml or Gecko for rendering Webpages
• Abandon using Keychains. Kerberos is a key (excuse the pun) component of most of Apples security.
• Use Dave from Thursby Software instead of Samba. I know a few of the Samba Developers personally, and they OpenSource Advocation Extremists (all the ones I know run Debian).
• Don't use Apache Either. I don't know of any WebServer for MacOS X which is closed source, Apache and IIS have pretty-much cornered the market.
• Don't use Darwin. For that fact, don't use any MacOS Version since v10.0 (released shortly before Mach became the OpenSource Darwin)

If you choose to use any of the above mentioned software, you are using OpenSource Software, and must accept an Open Security Model. That is the nature of OpenSource Software.

 

[mi5moav]

Another one is finally getting it right... staying mum (you guys don't need to know)

Akamai refused to provide greater detail about Tuesday's attacks, citing a need to keep mum on the details of the company's architecture and to avoid giving more publicity to the attackers.

"The constitution is not the only word, it was a guide and at 200+ years I think he might be losing his sight" anonymous

 

[Salvo]

What Apple's Policy is on Security.
The information has always been available, when a Security Update is made. They provide one set of information for Users, and one set of Information for Enthusiasts and Professionals. They have always done this.
If you really want to know what Akamai is running, you can use NetCraft. The AkamaiGhost is a Proprietary WebServer, which they run on Linux. The information is out there if you want to attack it, but I'm pretty sure that the AkamaiGhost Developers tell their Customers about any Security Vulnerabilities as soon as they're discovered. Their Sole Customers are the Akamai SysOps, who need to know about any Vulnerabilities.
Apple's Customers are divided into three Groups; Users, PowerUsers (Enthusiasts) and Corporate (Enterprise). Users don't need to know about the ins and outs of every security Vulnerability. Power Users like to know, so they can avoid being exploited. Corporate SysOps Need to know. They're professionally Liable if their Customers Systems go down.
The Recent Kerfuffle was a result of Corporate SysOps and Enthusiasts discussing the Issue, and other Enthusiasts and Users finding out through those channels.
Traditionally, Apple have had only Users and Enthusiasts, with a few Corporates. With Apple expanding the Enthusiast and Corporate market, there is a (Justifiable, IMO) demand for more information.

 

[fryke]

About those who find security issues and make them public...

Yes, they seem like the ugliest beasts of hackers out there to some, but in fact they are not. They're _helping_ the community by putting some pressure onto the big ones. And Apple is one of the big ones here.

What usually happens is this, quite simply put:

1.) Person A finds a security hole in some of Apple's code.

2.) Person A informs Apple (and only Apple) about the issue and possibly also of easy ways on how to fix this (although that's often not necessary).

3.) Apple does not react. (And this is why people are bashing Apple!)

4.) Person A informs Apple that he/she will inform the public on [chosen date in the future].

5.) Apple does, or rather does NOT react, as has been the case at least twice in the past. (And this is why people are bashing Apple, too!)

6.) Person A publishes the info, often with an easy workaround users can do themselves (like disabling that DHCP for LDAP thingie).

7.) People cry out.

8.) Apple releases a security update that solves _half_ of the problem.

9.) Apple releases a security update that solves the rest of the problem.

10.) Apple says they were very fast releasing the security update.

You see, there are several points in that list where Apple _should_ be criticised. Of _course_ Apple should not inform the public of the security issue as soon as they receive the news from Person A. But they should solve the problem immediately and THEN inform the public both about the problem and the solution. This would be the 'good' way.

And then, a while later ...

11.) Apple also releases a patch for Mac OS X 10.2.8. No patch is released for system versions older than 10.2.x, which is too bad, because this actually means that 2 year old software is worth nothing at Apple. This just as a side rant. But I'm sure there are still servers out there running 10.1.5. Because they work flawlessly (other than the occasional hacker maybe also using the system for his/her tasks?). And an update to Mac OS X Server Panther is, you guessed it, 999$. (499$ for the 'small' version, I believe, but still much.)

 

[Salvo]

Another one is finally getting it right... staying mum (you guys don't need to know)

Akamai refused to provide greater detail about Tuesday's attacks, citing a need to keep mum on the details of the company's architecture and to avoid giving more publicity to the attackers.

Guess What!
Akamai have released details about how their network deals with this sort of thing! InfoWorld have an article up ATM.

Diversity, Diversity, Diversity. This is why the Opensource Open Development Process is so Secure.
While a Microsoft Server is almost definitely running IIS and Exchange, a Linux/FreeBSD System could be running Apache, Roxen, Xitami or any of dozens of different web servers, and Sendmail, Qmail or any of Dozens More Mail Servers.

There is no guarantee that a specific system is going to be running a specific Server, so exploiting vulnerabilities is more difficult. Worms and Viruses need to be more complex in order to propagate.

OBcomment:
Apple have chosen the best of the OpenSource Servers for MacOSX Server, but if one Server proves to be unable to remain secure, the User Transparent Configuration Layer that is System Preferences means that Apple can replace the entire Server without the (typical) User being concerned, transparently adding diversity.