Tim Cook Challenge: Fix Apple’s Security Mentality

| Particle Debris

With spring break and the Easter holiday upon us, there hasn’t much technical news debris worth posting. Instead, I’d like to address an important Apple issue.

_________________

Apple’s CEO, Tim Cook, has been about the business of fine tuning Apple, making some needed changes and taking decisive action. His moves related to the China workers were bold. Now, it would be nice to see heightened attention to Apple’s OS security methodology added to the list.

As we know, for a long time Apple touted the superiority of OS X security. Of course, there were some obscure holes that could be exploited by experts like Charlie Miller at the annual DEF CON Conference. By and large, however OS X has been pretty good in the past, compared to Windows XP because of the open source nature of Darwin, the UNIX core of OS X.

Battleship in crosshairsAlong the way, however, things have changed. Microsoft put an enormous amount of work into Windows 7 security, hired security experts and in some technical areas, surpassed OS X in security in the process. For example, Address Space Layout Randomization (ASLR) wasn’t as robust in Snow Leopard as it was even in Vista. These days, one hardly hears about laughably frequent and embarrassing major security holes in Windows 7.

Another area where Apple has been a bit of a doofus is in certificate management and OCSP and CRL options. That needs to be fixed as well.

So while Mozilla, the Linux community, Microsoft and the rest if the technical family energetically work together, come together at conferences, and work as a team to fight the bad guys, Apple pulls back and seems to go it alone for the sake of marketing image and message control. That is, the message is that all’s well with the Mac while everyone else has to scramble to keep up with Apple’s superior product. It’s time to mothball that conceit.

Things are different now, thanks to Apple’s enormous success.  Apple products are incredibly popular, and the bad guys continue to get more clever as they work together to target ever more popular Macs. Apple sells boatloads of everything, so it’s no longer required to tout the technical superiority of a boutique UNIX product for the sake of gaining acceptance.

Of course, I am not overlooking the technical work Apple has done to improve security. Sandboxing and Apple signed digital certificates for Mac apps are significant measures. Even so, when marketing agenda gets in the way of good technology, it creates problems.

Apple has arrived in a big way. So now, it’s time for Apple to reset and put that old philosophy behind them. After all, the origin of the approach was the result of being a runner up, a niche player, politicking for more respect. Now, Apple should, in my opinion, step up and act like the giant, responsible company it is.

The result of Apple’s now discredited philosophy, a marketing instead of technical approach, is that an estimated 600,000 Macs have been infected with the Flashback Trojan. It was a combination of ignorant bliss by customers who had been led to believe that nothing could go wrong and Apple’s tardiness and stubbornness. Oracle knew about this Java vulnerability in February, but Apple didn’t act in time.

To make matters worse, Apple published a fix on Thursday and then, mysteriously, on Friday, published a second fix. That makes Apple look bad. Finally, Apple didn’t take any explicit action that I know of to inform customers how to detect and remove the trojan. As a result, I suspect, many customers who don’t have good technical knowledge may have believed that (if they had been infected) after they applied the two fixes, their problem would be solved.

That’s not so. Applying the preventive Java fixes don’t eradicate the trojan if the Mac has already been infected. To do that, read Jeff Gamet’s article.

While it may have been okay to hold Apple’s hand on these matters in the past when the company was beleaguered, it’s not appropriate anymore when Apple is a half trillion dollar company with nearly a hundred billion dollars in cash and other assets.

I’m hoping the new captain of the Apple ship, Tim Cook, will take decisive action, as he has already shown a tendency to do.

General Quarters has been sounded.

_____________

Image credit: Shutterstock.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

3 Comments

furbies

John

You’re totally right.

For years we (in the Mac universe) sat back and sniggered at our (poor mindless) PC using friends because of all the viruses swarming about out there on the net for WinDoze Boxes

Now Apple needs to get it’s act together and be far more proactive in the fight against viruses & Trojans.
I’m Not advocating a totally walled garden approach but if Apple knows there’s a hole, then FIX IT! ASAP

Lee Dronick

I am sure Apple is looking at and coming up with rules of engagement even if it they are not doing fast enough for our tastes. Maybe the next OS, I hope so. Of course that may not help with those running older versions.

This latest trojan, do we have any idea as to which websites have been the vectors?

wab95

John:

Well-reasoned argument. I agree with its overall thrust. With great power comes great responsibility. Apple have become an industrial superpower, with super responsibilities, which can no longer be addressed by the responsiveness of an underdog. This leads to what political and social scientists refer to as a clash between capability and delivery vs rising expectations. As the fortunes and observed capability of an entity grow, people’s expectations grow accordingly, and should those expectations fail to be addressed, profound dissatisfaction, even in the face of obvious improvements, can set in and destabilise the relationship between the entity and the public, in the case, the clients.

The clients, in this case, will soon, if they haven’t already, expect and deserve better.

You have no doubt seen the eruption across the Twitterverse over the weekend, e.g. Ed Bott - who seems to be scarcely able to contain himself, so torrential have been his tweets about the Mac and its community getting their comeuppance. 

What Apple can scarcely afford, as it continues to make inroads for its OS X line into the enterprise on the momentum of its iOS line, is a sense that its security detail is second tier, or worse, an afterthought.

There is one other thing, in my opinion and based on my observations of the workplace, that the Mac community can do for itself, that could also facilitate enterprise acceptance of the OS X platform, namely step away from the argument that the Mac is either impervious or at least less vulnerable to malware and security compromise. The issue is not whether the Mac is or is not inherently more secure than Windows - most of the OS X community believe that it is. That’s not the point. Rather, most of the computer literate community, admittedly Windows dominant, believe computers to be vulnerable, full stop. Having a minority opinion that one’s platform of choice is immune is not merely a non sequitur in that venue, it hardens opposition to the platform and those who use it. It is seen as an arrogant, dangerous and offensive position. It wins no friends.

Instead, seeing a company’s leadership openly and publicly taking industry-standard steps to ensure security, and having Macs in the workplace following suit, sends a message that, not only does the Mac community understand the concerns of their PC using colleagues, when it comes to security, we’re all on the same side. Apple and Mac users are not the enemy; the bad guys are.

Log-in to comment