Mozilla security chief: Apple should open up
Security through transparency
Mozilla's security chief said Apple should disclose more information about the steps it takes to protect customers from malware and other computer-born threats.
At a security conference on Monday, Window Snyder said open communication about recently reported vulnerabilities and ongoing processes for locking down products is a core responsibility of security departments at every software organization. The head of security for Mozilla's Firefox browser then singled out Apple as a vendor with room for improvement.
"I'm big Apple fan - I've got a Mac right here," Snyder said as she gripped her MacBook while speaking at the MIS Training Institute's IT Security World conference in San Francisco. "But one of my big problems with Apple is we don't get to hear what they're doing with security. I'd have a lot more confidence if they would communicate that stuff."
Among developers of mainstream software, Apple's security department is one of the most tight-lipped. Unlike Microsoft, Mozilla and Google, it has no blog devoted to security, and the company rarely responds to reports about vulnerabilities found in its products. As we've pointed out on more than one occasion, the company frequently fails to clearly warn end users of the necessity of promptly installing updates when patching critical security holes.
While Snyder praised much of the behind-the-scenes work of Apple's security professionals, she said it's not enough that the work is carried out in secret.
"Being able to demonstrate that you're doing reasonable things and letting other people evaluate whether or not that's a reasonable process helps us as a security industry develop confidence in them [and] helps consumers recognize that those vendors are doing reasonable things," Snyder said. Referring to software organizations generally, she added: "It's painful if we have to rely on marketing to figure out whether or not something is secure."
Examples of the type of information Snyder said should be more forthcoming is whether Apple's security team is investigating reported vulnerabilities, whether patches to reported vulnerabilities are in the works, and the types of internal processes used to improve the security of major products. She held out Microsoft, her former employer, as an example.
"The security industry developed a lot more confidence in what Microsoft was doing in security because Microsoft started communicating about it and sharing some of the work that they're doing," she said. Holding up Windows Vista, which was developed under Microsoft's secure development lifecycle, she said, "We get to hear from Microsoft about the work they put into it and all the people they engaged to do consulting work and their secure development lifecycle."
She said that's a lost opportunity.
"They have a real opportunity there to show the rest of the security industry what they're doing because I think they are doing good work."
Apple's public relations team didn't respond to a request to comment for this story.
Snyder's comments came during a keynote titled Building Multi-Layer Defenses to Mitigate Threats Attackers Haven't Thought of Yet. In it, she focused on specific steps security professionals can take to proactively protect their users against vulnerabilities and other threats.
While the use of fuzzers, threat modeling, and code review were all mentioned, Snyder's overall theme seemed to be that security teams from various organizations need to work together, especially considering the interconnecting relationship between so many products. She held out last year's vulnerabilities in a so-called URI, or uniform resource identifier as a case in point. Microsoft for months insisted that third-party applications such as Firefox - not its Internet Explorer browser - were responsible for a vulnerability that allowed malicious websites to install malware on end-users' machines.
After much discussion and some criticism of that position, Redmond finally acknowledged IE needed to do a better job preventing malformed data from being passed to applications and patched the browser. ®
#1 Anything is *possible* but that doesn't make it *likely*. The day there are OS X viruses out in the wild your argument will have weight, until then it's just speculation.
#2 Tell me, why has OpenBSD only had two remote security holes in the default install in 10 years? Who's safer, an idiot user on an OpenBSD box or an idiot user on WinXP?
#3 You're talking about a trojan, not a virus. I think you have selective memory if you don't remember all those Windows viruses that spread by email that didn't even require a user to open the mail.
#4 Mac users don't need hope. I should think that 10 years of no viruses is reason enough to know that an anti-virus program isn't required.
#6 My car analogy could just as easily be applied to a house. Is it safer to buy a house with strong locks and buglar bars or a house where the windows are wide open? (pun intended!)
#7 Alexis was talking 5 years in the future, so the original context of your reply was wrong.
#8 Why should a casual user have to know about security? The whole point of owning a Mac is that it works for you, not the other way around. A user shouldn't have to update virus definitions, apply patches, defrag drives, clean the registry etc. In fact, even administrators shouldn't have to do those sorts of laborious tasks.
"You think any time someone posts negatively about Apple's practices you think its an attack on the company"
That's not what my argument was about at all. You should have recognized that when I mentioned UNIX, Linux, BSD et al. This is about idiots who think that Macs are only secure because they represent a smaller market share. If you truly believe that then you really have no understanding about OS security.
FYI I should point out that I have been a UNIX admin for several large ISPs and high street banks and currently work for a security consultancy firm. I use various UNIX flavours as well as OS X and Windows on a daily basis. So, you may want to point your "kool aid / mactard" comments at someone who doesn't recognize them as a childish means of lashing out at something you clearly don't understand.
#1 Is it not Linux that last week a company made a rootkit for? Just because something is non existent now or really rare does not equal the future. 5 minutes after this comment is posted someone might make the most infectious virus ever for the mac that goes live or they might not.
#2 OK do those machines you just named have idiotic users physically at the machine using it OR Administrators who know what there doing and not using it for menial task? I've not seen many windows servers that have been properly configured have viruses on them.
#3 Found one virus not a worm, I'll admit, called Leap-A while looking it up on Google which you have to download and run it but lets face it you can easily con users into doing that. Which if I remember was how a good amount of the popular Windows viruses spread. So how long until worms start like I sadi before just because it does not exist yet does not mean it won't in the future.
#4 I never claimed to care about anti-virus programs on a mac. I just said unlike a mac user I got something to tell me I have nothing on my computer not pray to the almighty Apple gods and hope.
#5 you have a point that also happens on windows a lot but lets face it if you were going to make a program to get the most wide distribution in as short of time you would pick windows so my original context holds up also.
#6 A car is not the best analogy to use because no matter what you do its still is possible to steal it. The biggest threat to any security is a uninformed user which is the way the original person I directed the reply to sounded and why I used a house.
#7 OK the 5 year comment was at Alexis Vallance who said in the 5 years they owned it not total years the OS was out. So please learn to read the whole context and the persons post it was directed at and do not show ignorance while calling someone else ignorant it really makes you look kind of foolish.
#8 Well as I have probably wasted a whole 3 days in CPU cycles on virus scans combined in 5 years on 2 boxes while the computers would not be in use anyways it doesn't really bother me. Now why bother bringing disk defrag into a argument about security? You call Webster and I clueles but last I checked Windows users know about defrag and its use where as Mac users don't know security holes exist at all.
I hate to say something you mactards got completely wrong. You think any time someone posts negatively about Apple's practices you think its an attack on the company (or religion the way most of act) that you so love. I'm not trashing the mac platform actually its the opposite I hope it doesn't become as popular as Windows to write the malware for, and I don't think telling their users how to make sure they don't get exploited or even that a security hole exists is hard but it seems most of you from your comments prefer to think its flawless and unbreakable but whatever its all up to you seeing your their consumer.
So please enjoy Steve's special kool-aid by all means.
And to do one correction my original comment I ended the wrong way seeing I was tired from work, the pile of crap was not directed at Apple computers but their practice of security through obscurity.
Sorry Kevin, you come across as clueless as Webster.
1. What is the sum total of all UNIX based viruses? You want to tell me that all OS X, Linux, BSD, Solaris etc. machines combined are too small a number to be a target?
2. What do you think most banks and ISPs run their servers on? Oh, let's remember that banks only make up a tiny market share of all businesses so by your logicthey are an unattractive target :-D
3. Show me an OS X worm out in the wild.
4. Regarding your ignorance about Mac anti-virus programs maybe you should try a simple Google search.
5. Your theory of profit is applicable, but not in the context you are thinking. Anti-virus writers love to drum up FUD about Mac viruses so they can try sell more copies of their pointless software.
6. Yes you can lock down Windows to make it more secure but why should you have to? Why buy a car where you have to replace the locks which are harder to break into when you could have gotten a better engineered car with decent security in the first place?
7. OS X server 1.0 was released in 1999 so that would make it 9 years of no OS X viruses, not 5.
8. I hope you enjoy wasting time and cpu cycles on your virus scans. Bet you love a good old disk defrag too.
Now begone and try educate yourself before your next display of ignorance!