Subscription Center
Aug 5, 2008 05:47 PM | 9
In a move that could backfire, according to one security expert, Apple pulled out of a prominent hackers' convention taking place this week in Las Vegas.
Apple abruptly canceled what would have been its first appearance at Black Hat, an annual event in Las Vegas that features presentations from the world's most preeminent security researchers – a.k.a. hackers – according to Computerworld. Speakers typically highlight security shortcomings in a number of different technologies, including operating systems, e-mail and the Internet itself. Taking one's lumps at Black Hat is a rite* of passage in a technology's security evolution, as companies like Microsoft and networking equipment maker Cisco will attest.
Thanks to this move and a few other gestures of ill will toward its customers (such as dropping the price of the iPhone last year shortly after many had purchased one), says Herbert "Hugh" Thompson, chief security strategist at New York software security firm People Security, "Apple's shield of being a charmed company could be lifting." Hackers could take offense at the move and start turning their attention to the security flaws in the company's computers, software and cell phones, Thompson says.
As leaders in the software and networking markets, respectively, Microsoft and Cisco attract attention because hackers who develop attacks against these companies' products affect the most people. "Risk, in an operating systems in particular, is a function of how vulnerable you are and how much people want to attack you," Thompson says. Apple's products, in particular its QuickTime Internet media player, are not more secure than these high profile targets, but the public's sentiment has always been in their favor. "The damage is going to come now," he adds, "as people speculate as to why (they pulled out of Black Hat) and start disparaging them."
Black Hat Founder and Director Jeff Moss told Computerworld, that Apple's marketing department "got wind of" the company's planned appearance. "Nobody at Apple is ever allowed to speak publicly about anything without marketing approval," he said. The company's presentation was supposed to be "them talking about security engineering and how they take security seriously."
Apple had set unusual conditions for speaking at the event: They wouldn't have to answer questions from the audience. Apple's canceled session was titled "Meet the Apple Security Experts," according to CRN magazine, which reported Moss as saying, "We had a lot of people from government agencies saying they'd love to know more about the security engineers at Apple, because it's such an opaque company." It seems the company will remain opaque, at least for now.
Apple's already starting to look a bit bruised. Petko Petkov, founder of security research firm GNUCITIZEN, said in the description on the Black Hat Web site of his presentation today that he planned to expose a flaw in Apple QuickTime running on the Windows operating system that Apple has yet to repair (a situation known as a "zero-day" bug), which means that hackers could immediate start attacking it. "If Apple responds before the event," he wrote, "I will drop the details of a QuickTime 0day for Windows Vista and XP." ScientificAmerican.com was unable to reach anyone who knew whether Petkov had gone through with his plans.
This wouldn’t be the first time that hackers have tried to teach Apple the lesson that it should be more open with the security flaws in its products. Two hackers early last year created the "Month of Apple Bugs" project that made public a stream of security flaws in Apple's products, including the Mac OS X operating system and iChat instant messaging software.
Apple's strategy of tightly controlling its iPhone (it runs only on the AT&T wireless network) led to New Jersey teen George Hotz posting on YouTube a technique for modifying the iPhone so it can run over other wireless networks as well. This technique was not widely adopted, but it showed what happens when someone with technical skills sets their mind to picking apart Apple's technology.
Apple's absence from Black Hat had a bit of a ripple effect. Upon finding out of Apple's plans to cancel their presentation, security consultant Charles Edge was forced last month to withdraw a session he had proposed to Black Hat organizers about flaws in Apple's FileVault encryption software, citing confidentiality agreements he had signed with the company, according to the Washington Post.
The hacker community's relentless drive to break the technology in which companies invest millions of dollars is at times sated by a good will gesture from those companies. Microsoft learned this lesson after years of battling with security researchers over flaws in its products. Since 2003 the company has held biannual BlueHat security conferences, during which Microsoft invites prominent security researchers to its offices to discuss flaws in Microsoft products.
Thompson predicts that, if Apple doesn't learn from its mistakes the way Microsoft did, the company will start "losing that grace that customers had given them for a really long time because they have cool products. The haze is starting to lift and people are starting to ask more questions."
(Image courtesy of iStockphoto)
* corrected from earlier version
Tags:
Microsoft,
tech,
Apple,
Computers,
Security,
hacker
More News Blog:
Next: Makers of Firefox come up with a new Web browser
Previous: Where have all the monkeys gone?
See what we're tweeting about
Myrmecos Answer to the Monday Mystery: Ceratina http://t.co/fJeVfWlsKD
sciencegoddess Oops, going to a new plane that doesn't have a mechanical issue! #joyofflying
johnrplatt Leading wolf researchers oppose plan to remove Endangered Species Act protections nationally from @NRDC's blog: http://t.co/9lXxIBRymH
Deadline: Aug 31 2013
Reward: $100,000 USD
The Geoffrey Beene Foundation Alzheimer’s Initiative (GBFAI) is launching the 2013 Geoffrey Beene Global NeuroDiscovery Challenge whose
Deadline: Jul 25 2013
Reward: Varies
This challenge provides an opportunity for Solvers to build a web-based or mobile “app” to explore data relationships in scholarly conte
Powered By: 
YES! Send me a free issue of Scientific American with no obligation to continue the subscription. If I like it, I will be billed for the one-year subscription.
9 Comments
Add Commentthis sounds like a blackmail threat. Either Apple tells of their security weaknesses or we will find them and we will infiltrate/harm you.
Reply | Report Abuse | Link to thisi understand that Apple is in constant communication with prominent security researchers.-arpadi
It seems to be that every tech company in the world has to ask for the blessings from the hacker community , to not be target of their attacks . The products, the systems, everything are forbidden to be popular and widespread used by the people: to no be attacked, every technology must be in the obscurity of the tech industry. We live in a new Holy Inquisition by these hacker clerics. Amen.
Reply | Report Abuse | Link to thisrite.
Reply | Report Abuse | Link to thisIt's "rite of passage."
That is an amazingly thin veil on the threat, isn't it?
Reply | Report Abuse | Link to this"You WILL support our convention or be attacked by our acolytes. Submit or suffer the consequences! Oh, and then hand over your lunch money."
What a bunch of bullies!
Is anyone besides me SICK of people trying to make you live in fear of them or their group?
It seems that hackers deserve the oninion that they are thugs, miscreants, and bullies.
Reply | Report Abuse | Link to thisThis comes as no surprise, since company lawyers rule Apple.
Reply | Report Abuse | Link to thisits better that a hacker be open with it and say, heres this problem in your software, fix it or we'll make it public, than someone who jwill just keep it a secret and hurt millions of people financially by doing so. Bullies maybe, but without them we'd be much worse off
Reply | Report Abuse | Link to thisI think people should look at this less as blackmail, and more of an opportunity. First of all, most of these "hackers" aren't 20 year olds living in their parents' basements, their tenured faculty members at respected universities or high ranking programmers in the industry. Often their jobs are based on the ability to find these problems and fix them, or use them as a teaching tool. Second, I agree with masamune that the people who attend black hat and defcon point out flaws, often with suggestions on how to address them, are better than truly malicious hackers (in this case I am talking about the non-tenured type) finding the same problems on their own and exploiting them. If Microsoft can use this as an opportunity, Apple should be willing to jump on too. Especially since, as pointed out in this article, though contrary to popular opinion, Apple software is not more secure, simply less often targeted.
Reply | Report Abuse | Link to thishry zato,
Reply | Report Abuse | Link to this