Apple is Having its Microsoft Moment
Faulty code is found in every operating system, app and software program. But Apple has an outdated strategy for fixing them. Remember when Apple would advertise it was safer than Windows? No more. Apple is now where Microsoft was a decade ago.
Computer engineers, hackers and people familiar with the company's practices explained that Apple is doing five things wrong in its approach to security:
- Apple's security updates are irregular and infrequent.
- Secrecy.
- Updates are only for the latest software.
- Unwillingness to pay [bug bounties].
- No admission of guilt.
Read more at http://money.cnn.com/2015/06/05/technology/apple-bugs/index.html?iid=SF_LN
Apple Could Learn from Microsoft on How to Handle Security
Remember when Apple would advertise it was safer than Windows? No more. Apple is now where Microsoft was ten years ago as Jose Pagliery writes at CNN that so far in 2015, five major flaws have affected Apple products putting to rest the argument that "Apple computers are safer and bug-free." Just this week, we encountered a nasty bug that lets hackers bury computer viruses so deep inside Macs, you'll never find it. A week earlier, a flaw appeared that lets a text message crash an iPhone. Of course, faulty code is found in every operating system, app and software program but Apple has an outdated strategy for fixing them.
The problem is that Apple is doing five things wrong in its approach to security:
- Apple's security updates are irregular and infrequent. "They don't appear to have a regular patch schedule like Microsoft, nor do they appear to patch continuously like Google does with Chrome," says Tod Beardsley. "Sometimes, patches are slow to arrive, but then again, sometimes patches are difficult to develop."
- Apple keeps quiet about its security holes. Apple didn't admit the latest Mac bug is even real (because that would entice hackers to exploit it). And while it acknowledges the text message flaw and offers advice for how to fix it, Apple hasn't explained the bug's root cause.
- Updates are only for the latest software. If you are one of the 47% of users still on Mavericks, Mountain Lion, Lion, and Snow Leopard, you are out of luck.
- Unwillingness to pay. Apple is one of the only major tech companies that doesn't reward researchers -- with money -- for finding potentially disastrous computer bugs.
- No admission of guilt.
When hackers broke into celebrity iCloud accounts and exposed nude photos last year, Apple CEO Tim Cook said the company would beef up security measures. But he blamed users, saying the problem was "not really an engineering thing."
According to researchers Apple needs to overhaul its bug-reporting system to one similar to what Microsoft did years ago. In 2003, Microsoft introduced Patch Tuesday. Once a month, users would get a flood of updates to keep them safe. According to Microsoft, sending patches only once a month simplifies patch management. Because the date is known in advance, system administrators can plan for the day. In 2005, Microsoft started hosting Blue Hat, an invitation-only security conference to meet face-to-face with curious (and often aggressive) researchers. In 2013 Microsoft introduced its "bug bounty" program and stopped fighting the legion of hackers -- and turned them into a ragtag army of Microsoft guardians. "Microsoft had worm after worm before meaningful security changes were made," says Katie Moussouris, Microsoft's former chief security strategist who implemented the bug bounty program. "Hopefully, Apple will adapt quickly."
[Ed note: The Hugh Pickens submission somehow lost its formatting and links when the story submissions were merged. We failed to notice that before the story went live. The story has been updated and we apologize for the error.]
Original Submission #1 Original Submission #2
Related Stories
Remember when Apple would advertise it was safer than Windows? No more. Apple is now where Microsoft was ten years ago as Jose Pagliery writes at CNN that so far in 2015, five major flaws have affected Apple products putting to rest the argument that "Apple computers are safer and bug-free." Just this week, we encountered a nasty bug that lets hackers bury computer viruses so deep inside Macs, you'll never find it. A week earlier, a flaw appeared that lets a text message crash an iPhone. Of course, fulty code is found in every operating system, app and software program but Apple has an outdated strategy for fixing them. The problem is that Apple is doing five things wrong in its approach to security: 1. Apple's security updates are irregular and infrequent. "They don't appear to have a regular patch schedule like Microsoft, nor do they appear to patch continuously like Google does with Chrome," says Tod Beardsley. "Sometimes, patches are slow to arrive, but then again, sometimes patches are difficult to develop." 2. Apple keeps quiet about its security holes. Apple didn't admit the latest Mac bug is even real (because that would entice hackers to exploit it). And while it acknowledges the text message flaw and offers advice for how to fix it, Apple hasn't explained the bug's root cause. 3. Updates are only for the latest software. If you are one of the 47% of users still on Mavericks, Mountain Lion, Lion, and Snow Leopard, you are out of luck. 4. Unwillingness to pay. Apple is one of the only major tech companies that doesn't reward researchers -- with money -- for finding potentially disastrous computer bugs. 5. No admission of guilt. When hackers broke into celebrity iCloud accounts and exposed nude photos last year, Apple CEO Tim Cook said the company would beef up security measures. But he blamed users, saying the problem was "not really an engineering thing."
According to researchers Apple needs to overhaul its bug-reporting system to one similar to what Microsoft did years ago. In 2003, Microsoft introduced Patch Tuesday. Once a month, users would get a flood of updates to keep them safe. According to Microsoft, sending patches only once a month simplifies patch management. Because the date is known in advance, system administrators can plan for the day. In 2005, Microsoft started hosting Blue Hat, an invitation-only security conference to meet face-to-face with curious (and often aggressive) researchers. In 2013 Microsoft introduced its "bug bounty" program and stopped fighting the legion of hackers -- and turned them into a ragtag army of Microsoft guardians. "Microsoft had worm after worm before meaningful security changes were made," says Katie Moussouris, Microsoft's former chief security strategist who implemented the bug bounty program. "Hopefully, Apple will adapt quickly."
(Score: 3, Insightful) by nyder on Monday June 08 2015, @01:28AM
So what we have here is the normal big corporation that thinks it's doing great because based on the last 10 years, they've been kicking ass. No need to fix security bugs in old products because we only care about our latest offerings and by the time everyone figures the bugs in there, we'll be onto the next platform.
My take on it.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @01:54AM
They're present in the original submission (hooray! a win for the original submission link).
(Score: 0) by Anonymous Coward on Monday June 08 2015, @02:10AM
haven't looked at original sub, but ticho's looks way better, but blocks of text are just not my thing.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @02:21AM
It looks like the editor did an "Olé" job on Hugh - he waved at it with a mouse. The spelling typo ("fulty") wasn't fixed, but two paragraphs were collapsed into one, and the links were removed.
Is it too much to ask the editors to do a once-over glance at the edited submission to verify that it looks like a summary when it's rendered by a browser?
btw I'm not hp.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @02:56AM
Fuck that. If the submitter don't give a fuck, it's a charity that editor even mention the submission.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @02:59AM
Can't you make a single post w/o saying F***, or similar?
Dude, you have a problem.
(Score: -1, Troll) by Anonymous Coward on Monday June 08 2015, @03:00AM
Fuck you, dumb fuck.
(Score: 2) by janrinok on Monday June 08 2015, @05:44PM
[nostyle RIP 06 May 2025]
(Score: 1, Insightful) by Anonymous Coward on Monday June 08 2015, @02:33AM
No carriage returns (aka new lines, paragraph tags, whatever) means I'm not going to bother trying to read it. This big blob of text looks like the emails my brother's wife sends (and that I don't read).
Dear Editors, readability is essential. Somewhere between this wall of text and Bullet Point City is a happy medium.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @02:37AM
Raise your hand if you read through pickens' post.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @02:44AM
Pickens tried to add value to TFA by annotating their five points and adding some links about MS. In this case, I liked the sparse approach that ticho took. Reading through the five bullets is a good start, and gives the reader a choice of whether to read the details in TFA.
(Score: -1, Flamebait) by Anonymous Coward on Monday June 08 2015, @02:50AM
Fuck you, Pickens, and your "value".
(Score: 2) by ticho on Monday June 08 2015, @12:43PM
Indeed, that's exactly what I was going for.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @01:34PM
Oh well. Never mind then.
(Score: 2) by fadrian on Tuesday June 09 2015, @09:27PM
Wait, wait... Here we're supposed to read TFA? Even when it's a PickensGram? Uh, no thanks...
That is all.
(Score: 3, Interesting) by mth on Monday June 08 2015, @02:51AM
Apple doesn't even seem to have an official published schedule for how long an OS X release is supported: I searched for it and only found people who said there wasn't one. While they do push out security updates for older releases, they don't do that for every single hole found, which means the systems running older OS X releases will be vulnerable. I think they need a big culture change to start taking security seriously.
(Score: 4, Insightful) by PartTimeZombie on Monday June 08 2015, @03:11AM
While I agree with your sentiment, Apple doesn't need a culture change at all. They make more profit than almost any corporation in history, and that's the only reason for their existence.
When they stop making money, they'll think about a culture change.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @08:57AM
Which worked out so well for IBM and Microsoft....
(Score: 2) by Nerdfest on Monday June 08 2015, @02:42PM
IBM is a perfect example, as they are also a 'blind fanboy' driven company, although with a very different market segment. Without the "nobody ever got fired for buying IBM" crowd they would have been out of business 20 years ago.
(Score: 4, Interesting) by deimios on Monday June 08 2015, @03:04AM
I thought that patch Tuesday was only good for the enterprise users, for home users it means you get a fix for a bug with a 1-30 days delay even if the bug was trivial to fix.
It also means that black hats can time the release of new exploits for the days following patch Tuesday to try an maximize the time before MS fixes the bugs they exploited.
For serious issues there were patches released outside the normal cycle but that just pissed off enterprise admins.
MS finally got a clue and Windows 10 patches for home users aren't bound to any specific date while enterprise users will still have something similar to the current patch Tuesday.
(Score: 2) by darkfeline on Monday June 08 2015, @11:13PM
I find it hard to believe that the majority of Windows users are being pwned by fresh exploits in the one month interval between Patch Tuesdays. At a guess, 95% of infections are from old exploits on machines that haven't been updated in a year or longer, not counting cases of user error (clicking on that .EXE porno downloaded from piratebay, etc.).
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Monday June 08 2015, @03:16AM
I now see
OK
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, admin@soylentnews.org and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
more than I see any actual stories or comments!
(Score: 0) by Anonymous Coward on Monday June 08 2015, @04:51AM
I also got that a lot yesterday. Today, so far so good...
(Score: 5, Funny) by c0lo on Monday June 08 2015, @07:52AM
(runs for cover)
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 5, Insightful) by Gravis on Monday June 08 2015, @03:24AM
Apple is now where Microsoft was a decade ago.
i dislike Apple because of how they conduct business but let's be clear, OS X is nothing like the clusterfuck that Windows not only was but still is. OS X itself is infrequently patched because there isn't much to fix. why is that? simple, OS X is a POSIX platform which gives it many intrinsic security features. last I checked, Windows still made it's default user part of the Administrators group which is insane.
enough hype.
(Score: 3, Informative) by mendax on Monday June 08 2015, @03:51AM
I agree with the assessment that Apple is where Microsoft was a decade ago.... mostly. It has developed some serious security problems in recent years and the latest iterations of MacOS are major bloatware and performance nightmares, particularly on older equipment. But MacOS's security problems are nowhere near as bad as those found with Windows. 'Nuf said.
I like MacOS and I have four Macs of various vintages running it. But let's face it... Linux runs one hell of a lot faster on them.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 4, Informative) by TheRaven on Monday June 08 2015, @08:15AM
OS X is a POSIX platform which gives it many intrinsic security features
Mostly it's not the POSIX features that make it secure, it's the TrustedBSD features (the underlying mechanism used for their sandboxing) and the Mach underpinnings (used to establish communication channels that allow you to attest to the remote end and propagate priority so that you don't get priority inversion from application compartmentalisation).
last I checked, Windows still made it's default user part of the Administrators group which is insane.
OS X makes its default user part of the wheel group too.
sudo mod me up
(Score: 0) by Anonymous Coward on Monday June 08 2015, @05:59PM
http://delphi.org/2013/10/6-stages-of-debugging/ [delphi.org]
You must first admit you have a problem.
MS looks like a cluster fuck because it was used so much. As apple gains share it will become a bigger target. In fact it is a target that refuses to believe it IS a target.
(Score: 2) by kaszz on Monday June 08 2015, @03:51AM
> 1. Apple's security updates are irregular and infrequent.
What's the problem with that? Security issues doesn't show up with regularity. When an exploit shows up it must be better to make a patch and distribute it asap? Why wait for exploits to be used on users?
> 2. Secrecy.
It's Apple..
> 3. Updates are only for the latest software.
This is something that Apple has to change if they want to have credibility. But they rather want to be viewed as a flimsy latest model type of shop.
(have the latest shiny or fuck off)
> 4. Unwillingness to pay [bug bounties].
So they encourage bug finders to sell them to that other marketplace. Does wonders for security..
> 5. No admission of guilt.
It's Apple..
But I do agree that Apple have to reconsider how they handle security and bugs or that flow of money will be removed.
Now if any bug were gay or security would allow you to run your own written software without Apple letter of indulgences and priesthood blessing, the patch to fix it will be sent out through negative time tunnel warp so fast it would be on your Apple infested computer last month. ;-)
Btw, How hard is to run software for Apple OS X on say Linux/BSD ?
(Score: 3, Insightful) by tibman on Monday June 08 2015, @04:47AM
Irregular patch schedule is cool with me too. There is no need to sit on bugs or roll multiple unrelated things into one patch.
SN won't survive on lurkers alone. Write comments.
(Score: 2, Informative) by Anonymous Coward on Monday June 08 2015, @07:04AM
That was my first thought also. However, further down they do list "or continuously like Google does with Chrome" as a patch schedule.
So they are not arguing that bugs need to be patched only the third Wednedsday in a week, like a certain other company.
(Score: 0) by Anonymous Coward on Tuesday June 09 2015, @07:26PM
"It's Apple" Says it all. Arrogant and entitled...
Bluntly this is no longer my problem. I moved back to high end off lease commodity hardware (read HP laptop) with Linux Mint.
Apple lost me as a customer for 2 reasons:
1) their handling of a bad battery pack which was bubbling. They "generously" offer me a new battery for $120, ora 90 day refurbished for $90 or to sell me a new PC. I later found a third party battery online for $45 that was a perfect match for my Macbook, that still works today.
2) lack of patches for older OS versions. Their answer when I couldn't upgrade any more was "get a new PC".
==> Well I did. Quad core I7 with 16GB... RAM runs linux mint like a bat out of hell (for under $900 CDN) and I have multiple VMs sandboxing any other OS I might need (win 7, etc...) to run the few pieces of software I need that don't have a linux equivalent.
I was an early adopter of Apple when the price performance value proposition and service and support was still good (I still have nostalgic thoughts about 12" silver powerbook). But I'm certain I'm gone for good at this point. Linux is mature enough and as good or better than Mac OS X, and the Apple hardware is just way over priced and has quality issues, my support experiences remind me of the early days with Windows... Other Hardware manufactures have brought the same portability and styling with the newer Ultrabooks.
Frankly most of the early adopters I know are all moving away from Mac OS X, either to linux or back to Windows. The main fanboys of Apple are now in management or in business school (who usually take a while to adopt things).
Apple won't go away soon... or stop making money.... but when the early adopters walk away its a sign of change.
I feel like a sober man walking out of a bar full of drunks, for whom the party is still in full swing and who are still talking about the virtues of Apple.
Frankly say what you like: the Apple Fan boys can kiss my ass.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @05:36AM
Remember the taunt of Ford standing for "Found On Road Dead"? Then "quality is job 1", and then eventually Ford made some pretty durable cars. AFAIK they still aren't no. 1 but they're vastly improved.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @02:40PM
First on race day.
(Score: 0) by Anonymous Coward on Monday June 08 2015, @05:57PM
Fix It Again, Tony
(Score: 0) by Anonymous Coward on Monday June 08 2015, @09:58PM
Don't buy a car starting with F: Ford, Fiat, French.
(Score: 1, Insightful) by Anonymous Coward on Monday June 08 2015, @08:43AM
Advertise your stuff as a zero effort solution and then blame users for putting zero effort into security.
(Score: 1, Touché) by Anonymous Coward on Monday June 08 2015, @02:24PM
Faulty code is found in every operating system, app and software program
Wow there matey... Hold your horses...!
Are you sure you're not just holding it wrong? I mean, there can't be anything wrong with APPLE stuffs, now can it?