Apple would benefit from being more transparent about security

“It seems that Apple has gotten embroiled in a security scandal of one sort or another every few months,” Matthew Panzarino writes for TechCrunch.

“It dodged Heartbleed but was hit by the very embarrassing ‘goto fail’ bug. It was called out for not adequately documenting the uses of diagnostic tools that could have been used to collect data from user devices,” Panzarino writes. “Late last year researchers showed off a method for siphoning data via the charging port of iOS devices. A year ago a researcher went public with a method for accessing Apple IDs of developers after he says he got no response from Apple. And then there was this week’s celebrity photo hack, which may have been able to be prevented by making iCloud backups more secure.”

“In each of these cases, Apple fixed vulnerabilities, released support notes or patched bugs. But in almost all cases, and many others over the years, the company was as opaque as possible about explaining the details of security issues, reluctant to admit to them publicly and very unresponsive to independent security researchers. That leads to misunderstandings and FUD about the extent of the problems and the risks involved for users,” Panzarino writes. “This needs to change or it will continue to happen.”

Read more in the full article – recommendedhere.

MacDailyNews Take: Apple should get out of the business of handing their adversaries the weapons of mass FUD via Cupertino’s culture of silence.

Panzarino’s idea that Apple should “compensate hackers and security researchers for finding and reporting bugs to Apple” is proven and sound.

For example, the “iBrute” hack that was able to rapid-fire passwords at one of Apple’s Find My iPhone login interfaces would likely have been found, reported and fixed long ago. (Actually, that one is something Apple should have never allowed in the first place; proper security audits should have caught that before launch.)

As Panzarino writes, Apple “could definitely afford to incentivize those researchers, or at the very least develop a way to communicate with them more openly and effectively.”

[Thanks to MacDailyNews Reader “Dan K.” for the heads up.]


    1. What we are seeing right now is the traditional three week period before any announced Apple Event known as FUD Season. During FUD Season, every enemy of Apple unleashes their heavy guns and saved up anti-Apple ammunition—true, false, absurd, ridiculous, off-the-wall, innuendo laden tripe, into the blogosphere to see what sticks to the wall in an attempt to poison the well before Apple announces their new products. This year’s FUD Season is shaping up to be a Doozie.

  1. Apple has gradually improved both its security and its ‘transparency’ since 2005 when Symantec started the Apple security doom FUD-fest. In 2007, a bunch of hackers (including a couple of my hacker heroes) started targeting Apple security flaws in hopes of shaming Apple into getting security serious. It worked. There have been a few infamous security FAIL moments between then and now. Apple continues to fumble on occasion. But overall, OS X has been fortified to live up to its reputation as the single safest GUI operating systems on the planet. (Only OpenBSD and NetBSD have better reputations. Yes, I am taking Linux into account!)

    There will never be full ‘transparency’ specifically because it’s a wise strategy. It is a terrible idea to tip off hackers about security flaws until AFTER than have been patched. This is the reason why you will NEVER see CVE (Common Vulnerabilities and Exposures) details published before patches are available. It is also ideal to provide patches at UNpredictable times. IOW: Microsoft and Adobe’s ‘Patch Tuesday’ schedule is a terrible idea. It provides hackers with a convenient schedule to learn and use software exploits against unpatched users. There is contention over my assertion about patch scheduling. But I’ve never found them convincing. I prefer Apple’s strategy, which is to provide patches when they’re ready, not sooner, not later. I call this ASAP Patching and recommend it in just about every situation.

    You’ll note that Apple ALWAYS provides credits to folks who report to them any CVE issue, contrary to what’s stated in this article.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.