OK, so I saw in the industry press that CIS had put out configuration guidance for the iPhone. This seemed interesting to me, since I’m now an Android user (love it, by the way) – I think the Google phone is the best thing since sliced bread. Not that the iPhone and Android are the same thing – just because I feel a kinship with the iPhone users for some reason.

Anyway, I surfed over to the benchmark to check it out. Not surprisingly, there’s about as much complexity associated with hardening an iPhone as you’d probably expect. For example, they outline that “Airplane Mode” is pretty good from a security perspective, that it’s probably a good idea to turn the password protection feature on, and that you really ought to upgrade the firmware occasionally.

But believe it or not, I didn’t bring it up to make fun of the specific recommendations in the benchmark. It it what it is… No matter how obvious the recommendations might seem to us as security folks, explicitly pointing stuff out in a no-nonsense way can never be bad.

No, actually the reason I’m bringing this up comes about because of the “wall of text” in the legalese of the Benchmark’s Terms of Use. Check this out and see if anything about this strikes you as unusual:

CIS makes no representations… as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware…

Wait… wut? OK, so I’m not a lawyer. And maybe lawyers have a different meaning for the word “representation” (if so, I couldn’t find it). But doesn’t this (from the CIS Benchmark FAQ) sound like a representation “as to the positive effect” on security:

CIS Benchmarks enumerate security configuration settings and actions that “harden” your systems. They are unique, not because the settings and actions are unknown to any security specialist, but because consensus among hundreds of security professionals worldwide has defined these particular configurations.

What bothers me about this is that CIS clearly asserts that using the benchmarks will help secure your systems. What else could “harden your systems” mean? What would be the point of pointing out that “hundreds of experts agree” if the end state was not to make the security profile better?

It’s clearly the case. In fact, it’s sort of the whole point.

CIS leading with this seems to me kind of like Honda pasting a big yellow sticker on the Civic’s steering wheel that says “Automobile not intended for transportation.” … What the frick else would it be intended for? Outdoor paperweight? Portable cell-phone charger?

Is it really the case that we’re so far down the word-weasel road that the only way not to get sued is to entirely disavow what our products actually do? Can it really be that bad? Or is CIS just over the fence?

Comments are closed.