Archive for the ‘Mouth-Frothing’ Category

OK, so I saw in the industry press that CIS had put out configuration guidance for the iPhone. This seemed interesting to me, since I’m now an Android user (love it, by the way) – I think the Google phone is the best thing since sliced bread. Not that the iPhone and Android are the same thing – just because I feel a kinship with the iPhone users for some reason.

Anyway, I surfed over to the benchmark to check it out. Not surprisingly, there’s about as much complexity associated with hardening an iPhone as you’d probably expect. For example, they outline that “Airplane Mode” is pretty good from a security perspective, that it’s probably a good idea to turn the password protection feature on, and that you really ought to upgrade the firmware occasionally.

But believe it or not, I didn’t bring it up to make fun of the specific recommendations in the benchmark. It it what it is… No matter how obvious the recommendations might seem to us as security folks, explicitly pointing stuff out in a no-nonsense way can never be bad.

No, actually the reason I’m bringing this up comes about because of the “wall of text” in the legalese of the Benchmark’s Terms of Use. Check this out and see if anything about this strikes you as unusual:

CIS makes no representations… as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware…

Wait… wut? OK, so I’m not a lawyer. And maybe lawyers have a different meaning for the word “representation” (if so, I couldn’t find it). But doesn’t this (from the CIS Benchmark FAQ) sound like a representation “as to the positive effect” on security:

CIS Benchmarks enumerate security configuration settings and actions that “harden” your systems. They are unique, not because the settings and actions are unknown to any security specialist, but because consensus among hundreds of security professionals worldwide has defined these particular configurations.

What bothers me about this is that CIS clearly asserts that using the benchmarks will help secure your systems. What else could “harden your systems” mean? What would be the point of pointing out that “hundreds of experts agree” if the end state was not to make the security profile better?

It’s clearly the case. In fact, it’s sort of the whole point.

CIS leading with this seems to me kind of like Honda pasting a big yellow sticker on the Civic’s steering wheel that says “Automobile not intended for transportation.” … What the frick else would it be intended for? Outdoor paperweight? Portable cell-phone charger?

Is it really the case that we’re so far down the word-weasel road that the only way not to get sued is to entirely disavow what our products actually do? Can it really be that bad? Or is CIS just over the fence?

I was reading through Security Focus “Triple Threat to Macs Largely Academic” article this morning, since it is a topic of interest to me. The article was interesting, and I found it worthwhile that the author addressed the PR aspects of the recent security issues. All in all, an interesting read. But, being a glutton for punishment, I decided to read the comments as well. I figured there were probably some Mac owners “baitin’ for bear” that might have something to say about the security of OS X. There were. Some excerpts:

- …I suspect that people have been focusing on OSX ever since version 10.1, just that it took some real skills to do it until now, keeping the task of popping an OSX box way out of script kiddie reach.

- think that OSX has been targeted the whole time, just that it took this long for anyone to actually find anything useful to crack it with, thanks to the ease with which Windows could be cracked and the higher skillset required to actually pop an OSX box from the outside.

Of course. For those who read this blog on a (semi) regular basis, you may remember that time that I did a comparison of when patches came out for a vulnerability in libRuby to see how Apple compared to other vendors (read: not so well). Well, just to further underscore my point, I did the same exercise again, this time using a larger sample set. This time I used four vulnerabilities common to most Unix-based OS vendors (CVE-2005-1689, CVE-2005-2969, CVE-2005-0710, CVE-2005-3185.) I then calculated the number of days that elapsed between the vulnerability announcement and when an OS patch was released (all this data is freely available with a bit of digging by following the reference links in the CVE entry.) Want to see what I found?

So, here’s my question: if Mac is so much more secure than other systems, why is it that it takes Apple on average 100 percent longer to patch vulnerabilities than other vendors? Or isn’t it just more likely that it isn’t worth an attacker’s time to go after it?