Focus on Apple
Re: Bill Gates on Mac OS X security Feb 03 2007 02:29AM
Pat Plummer, MD (blacksun ix gotdns org) (1 replies)
Re: Bill Gates on Mac OS X security Feb 03 2007 05:02AM
David Maynor (dmaynor gmail com) (2 replies)
Re: Bill Gates on Mac OS X security Feb 03 2007 03:21PM
Dave Schroeder (das doit wisc edu) (2 replies)
On Feb 2, 2007, at 11:02 PM, David Maynor wrote:

> If you don't like the rsponse don't be mad at me, email
> product-security (at) apple (dot) com [email concealed] and demand a timeline for when these types
> of features will be added.

Right now, I'd even settle for a basic EOL schedule for OSes...

I do have some serious questions on this topic of Mac OS X security.
Fanboy issues and incorrect beliefs held by many about Mac OS X
security aside, I think there is a problem with the way Apple
security issues are dealt with, including your wireless vulnerability.

You discovered a serious general 802.11 vulnerability that affected
many wireless chipset and driver combinations, and could affect Mac
OS X, Windows, and Linux. You chose to demo the issue on a MacBook
running Mac OS X - which is perfectly fine - in part, to show that
Mac OS X is indeed vulnerable to security issues, and even general
ones that affect multiple platforms at that. It's time people,
including Apple, wake up to a lot of these issues, or there *will* be
a rude awakening coming, reminiscent of the Microsoft of five years
ago. It took Microsoft *years* to pull itself out of that, and it's
still a work in progress.

However, that brings me to a question. When a general, severe 802.11
vulnerability is discovered and revealed, one which affects multiple
chipsets, drivers, and platforms, how is it fair, or even helpful to
any reasonable Mac OS X security discourse, to have IT and mainstream
press all over splash headlines like "MacBook hijacked in 30 seconds
- wirelessly", and generally make it appear to the casual reader that
this is ONLY an Apple problem, ONLY a Mac OS X problem, and a problem
with the new flagship consumer laptop to boot? I'm not saying YOU
wrote any of these articles; you're the researcher, not the
journalist. But I would like your opinion on the handling of that
issue, which was much broader than Mac OS X, in the media.

One corollary question to this would be, why was the third party USB
wireless card's brand and identity hidden because of what was stated
to be "responsible disclosure", while it was simultaneously asserted
that the MacBook's internal wireless was (essentially) identically
vulnerable? You can see why some people would find that seeming
discontinuity somewhat unfair. Again, this is NOT an accusation: it
is a legitimate question. I have since come to understand that maybe
the media was to blame for the handling and presentation of this
issue. However, I'm still wondering what your own personal thoughts
on this are, given that you were one of the codiscoverers and
presenters of the issue.

For some reason, I get interpreted as an Apple "fanboy" because I
defend Apple on issues like this. Me saying "hey, this affects way
more platforms than Mac OS X" or "targeting only Apple is a bit
unfair here" somehow gets construed as trying to "FUD" the issue
away, or somehow claim that Mac OS X is invulnerable (which I have
never remotely said, and is also wildly inaccurate to boot). Apple
has serious issues that need to be dealt with in regard to security
response and issue handling, the way big reporting is handled in
general, and the way it interacts with enterprise markets (of which
security is an integral part). What I'm concerned with is making sure
the debate is an intelligent and useful one, not having sky-is-
falling headlines splashed every time Mac OS X is vulnerable to
something, while, ironically, another Windows remote exploit
requiring no user interaction is making the rounds.

I don't think the "fanboys" are anything that really needs to be
worried about. What the concern should be is getting ordinary users
to understand that there are security issues to be aware of on Mac OS
X as any other OS. I believe that any changes at Apple with regard to
this will come from the enterprise marketplace. However, Apple really
isn't an enterprise company even though it occasionally dons
enterprise garb. Every positive change I have seen in Apple security
response to date has been a direct result of coordinated requests
made from the Mac "enterprise" community, which consists not really
of "enterprise", per se, but rather mostly of academic and government
research institutions. Some specific examples of these positive
changes were:

- More security issues began being handled in a more granular
fashion, instead of being reserved for the next major OS update. This
was done in direct response to feedback from the enterprise community.

- Apple's descriptions of security updates were always incredibly
vague. After much feedback in this area, Apple began describing much
more explicitly what was fixed and changed, citing the appropriate
advisories and CVE numbers, and acknowledging discovery/reporting.

- Apple rarely interacted with external security advisory
clearinghouses like US-CERT, Secunia, MITRE, and so on. There has
been an improved effort to update these clearinghouses with
information pertaining to Apple on issues.

- Occasionally (instead of never) providing security updates for
recent point versions of the OS, instead of always mandating that it
be the latest in the series. E.g., 10.4.3 and 10.4.4 instead of
10.4.4 only.

There's room for a LOT of improvement, but these are measurable
improvements nonetheless; my point here is that there has been
positive movement. So, how do we get more, and keep that going?

I see, a quasi-Apple-affiliated group of Mac
"enterprise" users as being the primary conduit for getting this kind
of information into Apple. I'm not saying the general userbase won't
have value...but how does the general userbase "get" Apple to
respond? By getting people all riled up and having a constant stream
of negative mainstream press about Apple security (and usually
inaccurate at that, or at least failing miserably to grasp the nuance
or particulars of the situation)? By slapping down "fanboys" in some
ridiculous back and forth where both sides accuse each other of
ridiculous conspiracies to either artificially prop Apple up or tear
it down?

I see this happening in Apple from the organizational side. Some see
it happening from a technical side. Organizational has to happen
first. Security response has to become primarily a technical
engineering group in Apple, not a product marketing one. Security
design and audit needs to be preemptive, proactive, and continuous.
Security technologies such as you speak of need to be integrated into
the operating system. Engineers need to be able to *directly
communicate*, *officially* with security researchers and others
reporting issues. Bug reporting and emailing product-security can't
be the black holes and one-way conduits they usually are.

So, as a technical security researcher, what is your opinion, on some
of what I'm bringing up here? You're intimately aware of these
issues, and have been a part of some of them yourself. Is anything
said here unreasonable?


Dave0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?,0?ô0?] DM0
0S1 0 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
150829160720Z0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
#0?Jx2RÛY6^ßÁ6@jG|L¡0Uÿ0ÿ09U2000. , *?(http://cr
%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z?? d£Áù'öTï¡*)ÿw~G²?¨ø
0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
070921213052Z0¾1 0 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!U Faculty - Staff - Students10UDavid Schroeder1 0 *?H?÷
 das (at) doit.wisc (dot) edu0 [email concealed]?0
0????èöÆ?³G¡J[ ¨×
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹£p0n0Uÿà0;U40200 . ,?*
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?§0 *?H?÷
 1  *?H?÷
0 *?H?÷
070203152140Z0# *?H?÷
 1êpïÐ?8±DÿMK)ÌòúÀ3=0¡ +?71?00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£ *?H?÷
  1? 0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
? #_?Üyf?¼m~;ÝöÜ·+;%n¸ü-Ô'mé²æ?[g mÒPÿ£^ñwî"?ª (?m mF¥-ÙAs×?Ó²Ìþ?ÄZáx3?A+A"ÂØL´Ýèa

[ reply ]
Re: Bill Gates on Mac OS X security Feb 04 2007 11:42AM
Howard Oakley (h oakley btconnect com)
Re: Bill Gates on Mac OS X security Feb 03 2007 04:56PM
David Maynor (dmaynor gmail com) (1 replies)
Re: Bill Gates on Mac OS X security Feb 03 2007 05:17PM
Dave Schroeder (das doit wisc edu)
Re: Bill Gates on Mac OS X security Feb 03 2007 07:24AM
Pat Plummer, MD (blacksun ix gotdns org)


Privacy Statement
Copyright 2010, SecurityFocus