Former Apple Security Engineer To Apple: 'Fix Your Sh-t'

I haven't been following much of the tech news the last few weeks, but this seems to have plagued my twitter feed so was aware of something going on!

Am I right in understanding that Firefox and chrome connections are not affected by this bug?
The vulnerability is only exploitable if the attacker has access to your network?
How about SSH connections?

Personally don't have time to switch to another OS while Apple get their act together!
 
Going to continue my life as normal. My Macbook Air and Macbook Pro always stay on a desk, on a secure network.
 
As serious as my lack of concern. Others are in positions where they should be concerned; I am not.
 
Unfortunately for others that you say should be concerned, this issue is far more serious than your lack of concern.
 
To clarify, your concern is that him voicing his lack of concern does not diminish the concern he points out is the concern of others and is unrepresentative of those that should be concerned, thereby, him being unconcerned has undermined the magnitude of the concern which should concern him even if the original concern does not affect his particular concerns.
 
xIronCrossx said:
Unless I read into this wrong, as long as you are on a secure connection, this doesn't affect you.
Click to expand...

Pretty much. It affects SSL connections, which is important, but not DESTRUCTION RAINS FROM THE HEAVENS. But hey, Apple trolling gets clicks.

Fix is on the way in 10.9.2, coming soon.
 
That former employee sounds really unprofessional, must have been a treat to work with.
 
Terpfen said:
Pretty much. It affects SSL connections, which is important, but not DESTRUCTION RAINS FROM THE HEAVENS. But hey, Apple trolling gets clicks.
Click to expand...

When there's a serious security flaw in Windows or nasty Windows virus going around the same thing happens. This flaw was on the local news tonight and it was interesting how the story started off with how Apple prides itself around security. Indeed Apple has bought some of this on itself over the years particularly during the days of the "I'm a Mac and I'm a PC" ad campaign.

No it's not the end of the world but this an egregious flaw and it's been around for a long time. There's just no other way to put it.
 
Well, the problem usually is that the Windows bug or virus can really harm the PC, while this problem isn't really gonna cause you to have to format and reinstall everything or something like that. Unless you are of course using public wifi and deciding it's time to check all of your bank accounts and whatnot ;)
 
heatlesssun said:
When there's a serious security flaw in Windows or nasty Windows virus going around the same thing happens. This flaw was on the local news tonight and it was interesting how the story started off with how Apple prides itself around security. Indeed Apple has bought some of this on itself over the years particularly during the days of the "I'm a Mac and I'm a PC" ad campaign.
Click to expand...

Like I said, Apple headlines get attention. The Verge is calling this an "epic" security flaw, which is an insult to the word epic.

Flaws in Microsoft products are treated as par for the course. How many local news stories devoted time to the most recent zero day flaw in IE9 and 10? You know, the one Microsoft may have to issue an out-of-order patch for.

Once the flaw was discovered, Apple patched it extremely quickly. Nice feature they have there, delta updates pushed directly to all eligible devices, without having to wait for carriers or OEMs to approve.

It's interesting that Apple's publishing of the vulnerability does not credit anyone. Meaning, this was caught internally through a code audit. Perhaps Apple is auditing or further improving security code in light of the NSA's antics?
 
speaking of 10.9.2 I'm more excited about FaceTime audio than this "goto fail" bug
 
Terpfen said:
Like I said, Apple headlines get attention. The Verge is calling this an "epic" security flaw, which is an insult to the word epic.

Flaws in Microsoft products are treated as par for the course. How many local news stories devoted time to the most recent zero day flaw in IE9 and 10? You know, the one Microsoft may have to issue an out-of-order patch for.

Once the flaw was discovered, Apple patched it extremely quickly. Nice feature they have there, delta updates pushed directly to all eligible devices, without having to wait for carriers or OEMs to approve.

It's interesting that Apple's publishing of the vulnerability does not credit anyone. Meaning, this was caught internally through a code audit. Perhaps Apple is auditing or further improving security code in light of the NSA's antics?
Click to expand...

This is a pretty serious flaw. You may not think much of it but I work for a mega bank and we take this kind of flaw VERY, VERY seriously. Do you really think we have a choice? Like most serious flaws, regardless of the OS, they aren't likely to ever effect a large percentage of users, and yes it can get overblown.

The #1 flaw in x86 Windows is security and I've long said that OS X is more secure, but not because of any inherent technological superiority. Indeed the nature of this bug, nicknamed "gotofail" which stems from the most basic of programing errors, would tend to indicate that the notion of Apple OS'es having any technological security superiority is preposterous. If the same resources that have been dedicated to x86 Windows malware were bought to bear on OS X, do you honestly think it would do much better?
 
mi7chy said:
You have to understand The Verge are Apple pumpers so them calling it "epic" is not an exaggeration.
Click to expand...

Only the biggest Apple fans wouldn't see The Verge as an Apple fansite. If you look at their reporting on Microsoft, if someone farts in the wrong direction in Redmond, The Verge puts it on their Microsoft front page.
 
heatlesssun said:
This is a pretty serious flaw. You may not think much of it but I work for a mega bank and we take this kind of flaw VERY, VERY seriously.
Click to expand...

I didn't say it wasn't serious. I said it's being covered to this extent because Apple news, particularly negative Apple news, generates traffic for the site posting the news.

You're the only one who thinks this is being downplayed after you saw a story on your local evening news about it.
 
As mentioned, Chrome is not affected because it drags around its own SSL libraries.

Personally I think nobody needs to do any more than exchange just the SSL lib in IOS and OSX. No need for large patching.
 
heatlesssun said:
The #1 flaw in x86 Windows is security and I've long said that OS X is more secure, but not because of any inherent technological superiority. Indeed the nature of this bug, nicknamed "gotofail" which stems from the most basic of programing errors, would tend to indicate that the notion of Apple OS'es having any technological security superiority is preposterous. If the same resources that have been dedicated to x86 Windows malware were bought to bear on OS X, do you honestly think it would do much better?
Click to expand...
Yes, it would still fare better. I don't know how you can argue that pf firewall isn't inherently better than Window's built-in firewall or that security patching (and back ports) isn't an inherent feature of bsd in ways MS doesn't even attempt to do.
 
Terpfen said:
I didn't say it wasn't serious. I said it's being covered to this extent because Apple news, particularly negative Apple news, generates traffic for the site posting the news.
Click to expand...

Again, Apple has always prided itself on how fantastic its security is, when something happens that puts those claims into doubt, that's just going to draw attention.

Terpfen said:
You're the only one who thinks this is being downplayed after you saw a story on your local evening news about it.
Click to expand...

Not sure how you think I thought this was being downplayed since I mentioned just how serious this is being taken at work. We're sending out notices to iOS and OS X users about this as obviously banking info is an extremely juicy target for something like this that has the potential to cost us a LOT of money and pissed off customers wondering where there money went.
 
mope54 said:
Yes, it would still fare better. I don't know how you can argue that pf firewall isn't inherently better than Window's built-in firewall or that security patching (and back ports) isn't an inherent feature of bsd in ways MS doesn't even attempt to do.
Click to expand...

If you say so, but it seems every time there's a Black Hat conference OS X doesn't seems to ever come out anymore unscathed than Windows. If you assume that something can't be pwned given the talent, resources and will, it's certain that it will be. That's Security 101.
 
heatlesssun said:
Again, Apple has always prided itself on how fantastic its security is, when something happens that puts those claims into doubt, that's just going to draw attention.
Click to expand...

Your local news station is quite unaware of Apple's security claims.
 
Terpfen said:
Your local news station is quite unaware of Apple's security claims.
Click to expand...

All of those years of the "I'm a Mac and I'm a PC" ad campaign that beat the hell out of Windows over security were just made up by my local news station?
 
heatlesssun said:
All of those years of the "I'm a Mac and I'm a PC" ad campaign that beat the hell out of Windows over security were just made up by my local news station?
Click to expand...

While I found those ads stupid, I am pretty sure they were always about viruses. A Virus is one way to exploit, but it does not encompass every exploit.
 
heatlesssun said:
All of those years of the "I'm a Mac and I'm a PC" ad campaign that beat the hell out of Windows over security were just made up by my local news station?
Click to expand...

You actually think that was foremost in their minds when they ran a story on this? It's merely foremost in your mind.
 
Terpfen said:
You actually think that was foremost in their minds when they ran a story on this? It's merely foremost in your mind.
Click to expand...

Those ads were pretty iconic and the campaign not to long ago in 2009. There are many former ad campaigns that are in the collective psyche, "Less filling, Tastes great!", "Hey Mikey he likes it!" and so on. But in any case, Apple has a well documented history of priding itself on security and when security issues arise in Apple products people are going to take note, especially ones like this.That's just how life works.
 
I'm just glad these non-Mac users are genuinely concerned for the welfare of Mac users. It fills me with the fuzzy-wuzzies and some such.

It is, of course, genuine concern rather than the relishing of an opportunity to point fingers and laugh.
 
heatlesssun said:
Those ads were pretty iconic and the campaign not to long ago in 2009. There are many former ad campaigns that are in the collective psyche, "Less filling, Tastes great!", "Hey Mikey he likes it!" and so on. But in any case, Apple has a well documented history of priding itself on security and when security issues arise in Apple products people are going to take note, especially ones like this.That's just how life works.
Click to expand...

You are the only person pointing to the "Get a Mac" ads in this. At all. Anywhere. It's more than a little nutty.
 
heatlesssun said:
If you say so, but it seems every time there's a Black Hat conference OS X doesn't seems to ever come out anymore unscathed than Windows. If you assume that something can't be pwned given the talent, resources and will, it's certain that it will be. That's Security 101.
Click to expand...
I haven't been to such a conference so I can't speak to those issues. If you have some links I'll read them, though. Have you gone or are you basing your assessment from news posted on this site?

I was commenting on your position about whether under the hood differences could account for something like OS X being inherently more secure than something like Windows. The fact that it doesn't have a common registry is one factor in and of itself that makes the system more inherently secure than something like Windows. I don't know the ins and outs of NT system administration but it seems, as an end user, that out of the box my first account is a root account. That's not true for OS X. That's not always the case. I think that ubuntu, a linux (debian) derivative, defaults primary accounts into sudoers. Debian is inherently more secure than ubuntu for a variety of reasons: aside from account permission levels, the maintainers have various levels or degrees of releases. Some of them are more security minded whereas some are more forward thinking. ubuntu stable is like the bleeding edge of debian's testing branch.

so I don't just go around saying that nothing is unhackable or that all *nix environments are equally secure. But I also don't think that gives license to simply wave a hand and declare all OS' equally vulnerable. That's simply not the case.

It's also important to note that people who claim that security through obscurity is the reason Apple has been relatively inoculated for so long simply don't know the history. It's not surprising. Look around the board and you can count on a few hands the number of members vocal about their Mac usage...and the reality is that nearly everyone else is speaking about a platform they have no direct experience working on or in.

Before OS X, Apple had a *tiny* sliver of market share. Do you think they had a larger market share or a smaller one fifteen years ago? Yet, pre-OS X their operating system was riddled with bugs and malware. So if someone wants to claim that they've achieved security through obscurity they have to explain how they had more malware when they were more obscure. But that requires reasoning and logic beyond what most people around here are willing to expend on an apple topic.

Taken the other way, iOS has been the leading platform for *years* and it hasn't been hit with exploit after exploit in the way that android has. Even when android was obscure it was riddled with holes and security concerns. Even now that it has taken a large chunk of market share the data indicates that iOS users still drive the internet spending. So not only is iOS not an irrelevant slice of the overall mobile pie, it's also the most relevant in terms of money flowing through it...so it's certainly not some kind of unappealing target.

You and I are both old enough to have been around when windows launched. and os2 I wager. and there were also a slew of bizarre variants of dos/pc-dos/color computer OS, etc. they were all hit with malware pretty much as soon as they launched. it's difficult to argue that OS2 wasn't obscure or that Windows, at launch, wasn't obscure. Yet they suffered from malware pretty much immediately. There is never a lack of motivated offenders.

Finally, think about how much acclaim the first widespread virus for OS X would obtain. There isn't a hacker alive who wouldn't want to wear that mantle. The lack of widespread virii on the OS X platform is not for want of desire to create it.
 
I guess I'm the only one who finds it funny that Apple users feel secure because they think they are more secure than other systems.
 
heatlesssun said:
https://www.youtube.com/watch?v=VuqZ8AqmLPY&feature=youtube_gdata_player

No mention of the word virus in this one, just security. And indeed it was a clever ad because UAC was much reviled but however it's still around even in 8, these ads aren't ironically.
Click to expand...

lol, 2007. do you realize that was within the previous decade?
heatlesssun said:
Those ads were pretty iconic and the campaign not to long ago in 2009.
Click to expand...

what a long time to bear a grudge. that's, like, the length of someone's junior and high school careers. :p
 
mope54 said:
The lack of widespread virii on the OS X platform is not for want of desire to create it.
Click to expand...

No, lack of targets. It's just like any software, you go for the biggest market. The reason why people say the Windows Store (Windows 8 modern apps) lacks apps is the for the same reason why OS X lacks malware, especially viruses. As for Black Hat: http://www.macgasm.net/2011/08/08/os-secure-windows-7-reported-black-hat-conference/

I'm not trying to slam Apple here, but there's just the simple nature of economies and business at play here. Think about what is said of Windows 8, "No business will use it because of the new UI." The key word being business. That's why people focus malware efforts on Windows, because like apps in the mobile space, business comes to Windows. Of course Apple has a business market. Find me a business with 200,000 Macs installed like my work, a mega bank. I guarantee there will be a Mac virus the next day. No one gives two shits about terms papers.
 
heatlesssun said:
No, lack of targets. It's just like any software, you go for the biggest market.
Click to expand...
Then why was there more malware when Apple presented less targets?

I don't begrudge you holding strong opinions but when I specifically point out that your logic is incorrect in light of the facts, why are you incapable of revising your opinion?
 
rflcptr said:
lol, 2007. do you realize that was within the previous decade?
Click to expand...

The point being that you remember very well some ad campaigns from more than seven years ago unless you're 10.

rflcptr said:
what a long time to bear a grudge. that's, like, the length of someone's junior and high school careers. :p
Click to expand...

Bear a grudge? LOL! http://www.youtube.com/watch?v=9DWLyrljLDk. This one ad was so bad that soon after Apple had to pull this campaign. Indeed, it was different, Windows 7 quickly became the greatest desktop OS ever at the time. Apple does make mistakes, not as many as Microsoft but every now and then they are pretty public and stupid.
 
You must log in or register to reply here.
Back
Top