Everybody’s abuzz with the news of Charlie Miller (Apple hacker extraordinaire) getting booted from the iOS developer program.

I continue to be mystified by Apple and their product security.   I mean, here is Apple squelching security research of their product, but yet nobody (least of all Apple users) seem to care.  It’s a pattern of behavior in my onion:  Apple takes no action on broken SSL certs, and users don’t care.  Apple intrusively monitors user behavior, users don’t care. Apple patches issues secretly and nobody cares.

In the past, I would have argued that this kind of thing would lead to an immediate marketing backlash on the part of users and that that, in turn, would chill consumer purchasing of their products.  But quite frankly if there’s a backlash, it’s taking its time getting here.

The “stout denial – we don’t have a problem” approach usually doesn’t work when it comes to security, but for Apple the opposite seems to be true.  In fact, it seems to be helping them – allowing them to cultivate an aura of superior product security vs. inferior security.   So this time round?  Apple’s clearly squelching security research — and going after a pretty popular figure in doing sol this kind of thing would ordinarily upset users, but something tells me they’ll get away with it in the same way they have in the past.

Users (myself included) appear to have near-infinite patience with Apple.  For example, I’m looking at buying a new laptop to replace my current boat anchor.  Which one am I likely to buy?  Guess.

So you may have noticed that last week I was pretty worked up about Apple’s failure to address the DigiNotar issue in a timely manner.  Well, they put out an update on Friday that removes the default trust in Safari by addressing the default trust in KeyManager.  Well, that’s something.

Anyway, now that we know what Apple’s response is (i.e., patch KeyManager), some folks are now asking the question about whether that response is  - or is not – acceptable.

The fact that there’s discussion about this at all would probably be concerning to me on it’s own I have to admit, but have you seen the comments from the user community?   Here’s a few examples:

From the ThreatPost article responses, folks discount the amount of time as being near-negligible:

 Oh one whole week, the horror.  Silly Apple bashing. [anonymous]

or from the CW article comments, folks push back on the accuracy of the data available:

 Check the facts before publishing an article that is 100% wrong?… Oopsie looks like your dribbling your ritalin down your bib… Too hard to admit that you’re wrong and that your pathetic acceptance of this article’s fatal flaws is rather sad? [CountBrass, content from two individual comments]

or from Slashdot, others discount the impact of the issue and the risk it poses to users:

So, it took them 1 week to come out with an update to patch their browser? That doesn’t seem an egregious delay to me…  And if I understand it, this “security hole” is basically that you won’t get bad-certificate warnings if you visit certain fraudulent sites… which isn’t likely to happen unless you’re clicking links in phishing emails.  This hyperbole about apple being slow seems like hot air to me. [DoctorNathaniel]

But these comments don’t jive with what we know to be true.  Unpacking it, the following facts are not in dispute (by anyone):

1. DigiNotar was breached, with 531  certificates being issued fraudulently across a wide range of sites
2. Default trust within OS X is set via the  KeyManager, meaning that applications (including Safari) checking certificates within OS X derive trust via KeyManager settings
3. The default posture for KeyManager was to trust DigiNotar
4. Apple responded September 9 via a patch that revokes the explicit trust and makes it instead explicit distrust
5. September 9, when Apple responded, is 14 days (two weeks) after the bogus google.com cert was posted on pastebin (September 27).  It is 12 days after it appeared in the mainstream security news (for example we’re not in the “breaking the story” business and we covered it on the 29th)

These conclusions are based on those (again: undisputed) facts:

• Saying “a week” is generous. It’s exactly two calendar weeks from when it was technically “public” (the 27th), but more realistically August 29 days seems like the time when this should have hit Apple’s radar.  That’s 12 calendar days from when they patched, i.e. 10 business days.
• The fact that changes impact KeyManager vs. Safari doesn’t lessen the impact of this. It expands the risk. Other apps beyond Safari use the trust settings in KeyManager
• This is not about “browser warnings”.  We’re instead talking about a spectrum of possible attacks including an attacker being able to sit in the middle of SSL sessions (MITM), an attacker impersonating a known remote entity like a website or user, or an attacker signing code (thereby potentially granting it additional permissions).   This occurs across a broad swath of protocols.  Why?  Because more than just HTTP uses SSL…

I know I wrote about this yesterday, but I’m really starting to find it irritating and I find I need to hammer on it yet again.  Namely, Apple’s continued lack of action with respect to DigiNotar issue.

Here’s what we know:

• The Dutch government has said on record that their own Dutch government websites are no longer to be trusted in light of the issue
• Google, Microsoft, Firefox, etc have all revoked trust in the compromised CA
• 531 certificates are reported compromised to date

Seems like a big deal, don’t you think?  Kind of like an “eleven” on the certificate trust issue.  But yet Apple has not responded in any way.  Seriously.  Radio silence.

Here’s why that irritates me.  Apple markets (heavily) on security (remember the “no viruses” ads?).  They foster a perception in the marketplace of superior security.  Lion was called by some “the most secure consumer platform ever” (emphasis mine).  Now, I question that, and get only flames in response.  But here comes a time for Apple to ante up… and well, there’s nothing.   It’s not about me being right… it’s about looking at the evidence and judging their security profile based on merit: based on the evidence without preconception or bias.

Look, all of the marketing from Apple would lead you to the conclusion that they care about security, right?  So why do they continue to put their users at risk?  Because — make no bones about it — that’s what they’re doing here.  They’re saying, “sure, we have incontrovertible proof that a CA is broken, but we’re choosing to allow users to put full trust in it anyway.  You’re welcome.”

I use Apple products — I had a Mac for years and even on other devices use their software.  In my opinion,  every Apple customer (myself included along with every Mac, iPhone, iTunes, and QuickTime user) — should be paying attention here.  We should be asking if these the actions of a company that actually cares about security?  Or is this someone who cares just enough to use security as advertising, but not enough to actually follow through.

Just sayin’.

Image Source: soberinanightclub.com

I’ve seen quite a bit of coverage in the press recently about Apple’s newest OSX release: “Lion”… People are saying it’s a tremendous leap forward from a security perspective.  Not only does it apparently blow the socks off Snow Leopard,  but it also apparently outpaces other platforms — what some are calling “the most secure consumer platform ever”.

What others would “do well to emulate”

Here, check out what I’m talking about in action. This is from The Register:

“It’s a significant improvement, and the best way that I’ve described the level of security in Lion is that it’s Windows 7, plus, plus,” said Dino Dai Zovi, principal of security consultancy Trail of Bits and the coauthor of The Mac Hacker’s Handbook. “I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”

The same article later goes on to say:

No doubt, Apple deserves kudos for setting a new standard in OS security that Microsoft and Linux distributors would do well to emulate.

Do well to emulate?  That would imply that the features aren’t already present in the other OSes, right?  I mean, if you are emulating something, you do it because someone else is doing something new, right?  From neolithic times on, people “emulate” because others are doing something better: “Grok see Tonga cook with fire.  Grok no have fire.  Grok keep getting dysentery.  Grok use fire now.”   If Grok already had fire?  Well, there’s no need to emulate, amirite?

How is Lion different?

So Lion must be really different, right?  I mean, to deserve the moniker of “most secure consumer platform ever“, one would think it would have to be… but that’s precisely where I keep getting stuck. Like, looking at the security features for Lion, these seem to be the big ones:

• ASLR
• Application Sandboxing
• Better FileVault
• FileSharing Improvements IAM and Privacy Improvements
• Read Only Screen Sharing
•  Browser Privacy Features

Between the Ars Technica review and checking out the other what’s new lists, I don’t think I’m missing anything major.  If I am, please tell me…  Assuming this is a fairly full list, doesn’t it seem like we’ve seen some of these before? I mean, look:

• ASLR - Apple was late to the ASLR party – they didn’t support it (and a broken version when they did) until 6 years after it was stock on OpenBSD.  Windows has ASLR in almost every current version of their OS – and a pretty good implementation of it too.
• Application Sandboxing – Out there already…  Unix-like platforms have had this capability forever.  It’s not a concept new to Microsoft either.   Yes, yes… implementations vary.  But a cataclysmal groundbreak for Apple?  Really?
• FileVault –  Woohoo! Encrypted drive stuff!  It now supports better… enc…ryp…*yawn*… AES… snore… and… wiping… capab… *OH*.  Sorry, did I doze off for a second there?
• Filesharing –  You can use your AppleID for filesharing.  You mean sort of like when you use your LiveID to connect to a Home Group?  Or like the way DropBox works?  Amazon cloud storage?  Google docs?  Not like that?
• Read Only Screen Sharing – Yep.  Totally new and 100% innovative on Apple’s part.  Apple was the first to have this feature, clearly.
• Browser Privacy – “Firefox”.  Period.

OK, so InfoWorld has this thing up about how iOS really is superior to everything else out there from a security perspective:

In five major areas, Apple’s iOS has better security than desktop operating systems and matches or exceeds the security of its smartphone rivals. iOS has a strong set of security features, including:

• A sandbox isolates programs, and iOS’s memory organization makes exploitation more difficult.
• Applications that run on the iOS are vetted by Apple and can be removed if found to be malicious.
• Patches can be quickly applied to the iPhone and iPad to close security holes in the operating system.
• The software is regularly reviewed, especially its open source components.
• The platform has the advantage of attacker psychology — attackers still target smartphones far less than desktop systems

So, the article is a little bit tongue in cheek and they are clear to point out that the position that it’s superior is “arguable”.  But at the core, I’m not convinced of the merits for these points.  The only claim that has merit IMHO is the second one, the one about the vetting of apps.  But let’s unpack.  To make it easier, let’s assign numbers to the bullets:

1. Sandbox, ASLR
2. Vetting of apps
3. Patches can be “quickly applied” (seriously?)
4. Software review
5. Smartphones are less of a target compared to desktops

In no particular order:

• #5:  So, we can immediately discount #5 because the claims is compared to other smartphones, whereas #5 only speaks to desktops.  So, doesn’t count in the case of smartphone vs. smartphone.
• #1:  Sandboxing? Randomized address space?  So…  Windows has these.  Were I to argue the merits of Windows as “clearly superior” from a security perspective because it has unspecified “sandboxing” as well as ASLR, would you agree with that position?
• #3: Quick patching… so, is the position that patches are quicker on iOS than other platforms, including desktops?  Really?  All other platforms?  Including desktops and open distributions like Linux or BSD?  Hmm…. I’m skeptical about that. I think probably what they mean is it’s on par with these others, therefore not really being an advantage per se… just more of a general feature
• #4:  Code review.  So, because some portions of the code are open source, they are reviewed and are therefore superior.  We’ve discussed this one.  Just because open source software can be reviewed, doesn’t mean anybody is reviewing it.  I put out Machilles back in the day (a Cocoa port of Achilles) which nobody used.  It is no longer actively maintained, but is open source.  Is that superior from a security perpective to commercial code just because?  If you believe that, I have a bridge to sell you

So the only one that has merit is #2.  Maybe #3 depending on which OS you are comparing it against (for example Mac OSX which has historically had a very slow patch cycle).  It’s interesting to look at, but at the end of the day, I remain unconvinced that iOS has an edge on any other platform from a security perspective.

You ever notice how we tend to “move the goalpost” on what constitutes intelligence when it comes to determining whether machines can be intelligent?  It seems to be that we define things as unintelligent because they can’t do particular tasks; as soon as it becomes evident they can do the task we’ve set?  Well, we rationalize why that’s so and come up with a new task to say they’re not intelligent because they can’t do.

Playing chess?  Understanding natural language? Passing the Turing Test?  As soon as it becomes clear that machines can do it, it ceases to be a criteria for “intelligence”.  Once the bar is passed, nobody argues that point anymore, they come up with a new one. And the fact that it ever was a bar at all is largely forgotten (“of course a computer could play chess better than a human!  it’s all about finding and selecting the best path”).

I observed a parallel to this as I read through reader reaction to Ed Bott’s continued coverage of Mac Defender (an interesting read if you’re not keeping up).  Check it out:

Still not a single virus epidemics in whole 27-year long Mac history (even though laboratory and proof of concept examples did exist.) And, whole MacDefender thing is grossly overblown by media since people have to have three level of cluelessness to actually harmed by this…

and:

11+ years of OS X with no real threats. 10+ years of security experts saying just wait! You will see. Here is looking forward to another decade of proving them wrong. Note: We know threats are out there! Apple has warned us to protect ourselves. Nobody thinks the mac is immune to any and all future attacks. But at current threat levels, worrying about infection is just a waste of time.

and:

actually you could have said this clearer… because OSX has actually proven that you can have a system that is “secure” it still has never been attacked successfully in the wild…

I wasn’t really sure what that last one was driving at, but it sounded like he was saying that OSX has never been hacked.  (???)  So I included it.  Since its friday afternoon and nobody’s reading blogs anyway, I won’t draw the point out… but is anybody else seeing the parallel here?

Image Source: akashdesai.com

I’ve been following the discussion Ed Bott has been having recently about this new breed of Mac malware – and the response from Apple about it.  I won’t go into too much detail about it, but in vein of a quick TLDR summary for those who aren’t going to click the links, here’s the deal:

• there’s some Mac malware making the rounds
• users aren’t sure how to respond so they’re calling AppleCare about it
• Apple’s position is not to support malware removal through AppleCare…  or at all really.  Although I’m sure there’s some sort of paid option that I’m not finding.

I do understand Apple’s position in not wanting to support the malware removal.  Mostly because any kind of large-scale malware outbreak could break the bank from a remediation and support standpoint if malware removal is free.  Not to mention that it would (as the customer support rep Bott spoke to indicated), “set the expectation” that they would do this in the future. So I get it.  But on the other hand, you’d think Apple would want to minimize negative publicity in light of their recent location-tracking debacle.  But whatever, I’m not bringing it up because of that.

The reason I bring it up is the changing tone in the responses Ed is receiving about this.  Specifically, in reading through the comments to his posts, I was surprised: the instance of rabid mouthfrothing and death threats seems to be on the decline.  Compare, for example, this comment thread from an article about Mac malware in 2005 on “Ask Leo” vs the current Bott article.  See the difference in the tone and tenor?  In 2005, the community accepted on faith that Mac was “better engineered” and therefore immune to malware.  In 2005, the community took it as a given that malware for the mac was not only an impossibility, but to argue otherwise was laughable.  In light of that kind of perception, the Apple advertising message about being malware-free made sense.

But now look at the Bott article responses.  Do you see anyone claiming that malware for Mac is laughable?  I don’t.  There are folks saying it’s somehow less serious on Apple: either because the users being infected are somehow stupid (the “blame the victim” argument), how since the malware is a trojan it “doesn’t really count”, and how the volume of occurrence (i.e. less than on Windows) still somehow means Apple users are better off.  Say what you want about that, but the discussion isn’t about immunity anymore.  “Relative susceptibility” sure, but not immunity.  Instead of “it can’t happen to me”, it’s “it happens to me less than to the other guy” or “it only happens to stupid people”.  An interesting shift.

Because once the community decides that Mac users are not immune by virtue of the fruit logo, are they going to change their responses?  After all, Apple using freedom from malware as a sales pitch only works to the extent that people believe that’s true. If users know it’s false?  Seems like it’s backfire-fodder at that point.

I’m seeing quite a bit of coverage in the mainstream press recently about the intersection of Mac, security generally, and malware specifically. I’m not going to call out once again any kind of reasoned argument about why Mac is not a special and unique snowflake when it comes to security and why it has the same problems as other platforms, despite a lower incidence of malware due to other factors. I’ve done that enough in the past that I’ll spare you any wandering diatribe about it today.

However, I did want to call out this coverage and note that I think it’s no coincidence that Apple is getting this attention now.   In the past, I’ve wondered how Apple has managed to avoid – in seemingly Teflon fashion – any real need to address the security-related aspects of its product-set (like everybody else, they have their own unique set of security problems).  Up to now, the community has been very resistant to accept that there’s anything to worry about from a security angle.  But I think that view could be changing slightly based on the coverage.

Specifically, it’s possible that the user community is responding to the location/iPhone fiasco that’s been developing over the past week or so.  In other words, in the past when Apple has maintained in their Mac marketing that security is less of an issue, members of the community have given Apple the benefit of the doubt.  So I’m wondering if they may have forfeited their Teflon privileges through the location debacle?  Would be interesting if so.

Anyway, I call it out only to note the trend.  I’m interested to see if it’ll continue or if some distance on the location issue will return the situation to status-quo.

Image Source: igadgetszone.com

As we found out last week, the iPhone tracks your movements. And now, they’re being called to explain to congress about the nature of this tracking:

In a statement, Markey’s office … expressed concern that iPhones running Apple’s iOS 4 operating system “collects customers’ location data, stores it on the user’s iPhone and iPad, backs it up when synced with another device, and could leave it unprotected.” That behavior may violate Section 222 of the Communications Act, a provision that … requires companies to get express authorization from their customers for the use, disclosure or access to location information for commercial purposes.”

Yes, yes… Apple tracks your location.  But what’s really interesting to me about this isn’t that they are collecting this location data, but instead that this is news.  I mean – didn’t we know this already?  They said explicitly that they were going to do this when they changed their privacy statement last year.  Check out what they said (emphasis mine):

We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:   We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used…

So they’ve said that they can (and will) collect your location, your occupation, your device ID, etc. and record it, track it for any purpose.  Keep it forever?  Sure.  Use it for advertising? Check.  Sell it to marketers?  Don’t mind if I do.  They were even called upon to explain it to congress when they first announced it (and nothing’s changed since then), so I would ask what’s wrong with Congress that they didn’t put the kibosh on it last time around if they were going to be so incensed about it now.

Look, here’s the the chain of events (slightly simplified to illustrate the point):

1. Apple says, “we’re going to track your location” (they change their privacy policy)
2. Everyone says, “we agree Apple… track away” (users agree to the updated conditions)
3. A researcher discovers Apple does, in fact, track you (by finding the hidden tracking file)
4. Everybody freaks out (the media firestorm going on currently and Congress’ reaction)

Look, I know I’ve covered this before, so apologies for covering old ground.  But Apple (whether you think they’ve done the right thing in tracking this location data or not) – whatever their sins were – they don’t include hiding of their intentions.  So granted I’m not a lawyer or whatever, but it seems to me that someone clicking “I agree” to “hey, we’re going to track your location” would tend to constitute “express authorization”, wouldn’t you think?  Given the undesirable consequences, it’s clear that we need to stay alert, right?

In light of that, maybe it’s a good time to pay attention to what else Apple has stated they are going to do.  For example, what scares the hell out of me is their patent on how they plan to turn an iPhone into a remote snoop-o-bot that records your voice and takes pictures of you if you jailbreak it or unlock it (i.e., “hacking the electronic device, jailbreaking the electronic device, unlocking the electronic device, removing a SIM card from the electronic device, and moving at least a predetermined distance away from a synced device.”)

What specifically do they want to do?  From patent #389106:

…gathering one or more of screenshots, keylogs, communications packets served to the electronic device, and information related to a host device coupled to the electronic device …” (5)
“…record the voice of the current user…” (12)
“…detect the heartbeat of the current user…” (13)
“…take a photograph of the vicinity of the electronic device; and positioning circuitry operable to determine current location information of the electronic device…” (15)
“…an accelerometer operable to record a vibration profile of the electronic device; anda signal processor operable to compare the recorded vibration profile with a library of vibration profiles to determine a current mode of transportation of the electronic device…” (16)

Yeah, that’s pretty invasive. So, are we going to get all worked up in a year or two when we find out Apple has actually implemented this?  Maybe we should go on record now saying we want no part of it.  Since past performance seems to indicate that Apple’s going to follow through on what they state their intentions to be.

The Register has an interesting article up today about fraudsters using iTunes to bilk folks of cash. It’s an interesting read.  I actually hadn’t heard that Apple had implemented this functionality, but as it turns out, you can use iTunes as sort of a mini-Paypal to make periodic gifts to people.

So the fraud aspect of this itself is interesting on its own.  Since folks often do not establish the same strong password with a service like iTunes than they would with their PayPal or bank account, this is a ripe area for fraudsters and could very well be a path of least resistance for someone looking for a weak link in someone’s personal account usage.

But what really interests me about this isn’t so much the scam angle as it is the potential money laundering angle.  It’s always beneficial to have a way to seamlessly transmit dollars from point A to point B in a semi-anonymous, lightly-tracked, and easily-made-liquid way…. and, it seems like an astute criminal could find a way to do this via iTunes.  They could, one supposes, use a service that converts gift cards to cash to pull money out of an iTunes gift transfer of this type.  I’m not sure what Apple – or, in fact, any other purveyor of a gift card that enables electronic transfer (looking at you Amazon) – can do about it, but I’m wondering the extent to which criminals are doing this already…

Anyway, just interesting food for thought.