SoylentNews

Apple is Having its Microsoft Moment

ticho writes:

Faulty code is found in every operating system, app and software program. But Apple has an outdated strategy for fixing them. Remember when Apple would advertise it was safer than Windows? No more. Apple is now where Microsoft was a decade ago.

Computer engineers, hackers and people familiar with the company's practices explained that Apple is doing five things wrong in its approach to security:

1. Apple's security updates are irregular and infrequent.
2. Secrecy.
3. Updates are only for the latest software.
4. Unwillingness to pay [bug bounties].
5. No admission of guilt.

Read more at http://money.cnn.com/2015/06/05/technology/apple-bugs/index.html?iid=SF_LN

Apple Could Learn from Microsoft on How to Handle Security

Hugh Pickens writes:

Remember when Apple would advertise it was safer than Windows? No more. Apple is now where Microsoft was ten years ago as Jose Pagliery writes at CNN that so far in 2015, five major flaws have affected Apple products putting to rest the argument that "Apple computers are safer and bug-free." Just this week, we encountered a nasty bug that lets hackers bury computer viruses so deep inside Macs, you'll never find it. A week earlier, a flaw appeared that lets a text message crash an iPhone. Of course, faulty code is found in every operating system, app and software program but Apple has an outdated strategy for fixing them.

The problem is that Apple is doing five things wrong in its approach to security:

1. Apple's security updates are irregular and infrequent. "They don't appear to have a regular patch schedule like Microsoft, nor do they appear to patch continuously like Google does with Chrome," says Tod Beardsley. "Sometimes, patches are slow to arrive, but then again, sometimes patches are difficult to develop."
2. Apple keeps quiet about its security holes. Apple didn't admit the latest Mac bug is even real (because that would entice hackers to exploit it). And while it acknowledges the text message flaw and offers advice for how to fix it, Apple hasn't explained the bug's root cause.
3. Updates are only for the latest software. If you are one of the 47% of users still on Mavericks, Mountain Lion, Lion, and Snow Leopard, you are out of luck.
4. Unwillingness to pay. Apple is one of the only major tech companies that doesn't reward researchers -- with money -- for finding potentially disastrous computer bugs.
5. No admission of guilt.

When hackers broke into celebrity iCloud accounts and exposed nude photos last year, Apple CEO Tim Cook said the company would beef up security measures. But he blamed users, saying the problem was "not really an engineering thing."

According to researchers Apple needs to overhaul its bug-reporting system to one similar to what Microsoft did years ago. In 2003, Microsoft introduced Patch Tuesday. Once a month, users would get a flood of updates to keep them safe. According to Microsoft, sending patches only once a month simplifies patch management. Because the date is known in advance, system administrators can plan for the day. In 2005, Microsoft started hosting Blue Hat, an invitation-only security conference to meet face-to-face with curious (and often aggressive) researchers. In 2013 Microsoft introduced its "bug bounty" program and stopped fighting the legion of hackers -- and turned them into a ragtag army of Microsoft guardians. "Microsoft had worm after worm before meaningful security changes were made," says Katie Moussouris, Microsoft's former chief security strategist who implemented the bug bounty program. "Hopefully, Apple will adapt quickly."

[Ed note: The Hugh Pickens submission somehow lost its formatting and links when the story submissions were merged. We failed to notice that before the story went live. The story has been updated and we apologize for the error.]