Things That Make You Go Hmmm… About Apple "Security"
Dear Tim Cook,
Have you searched for the term “antivirus” lately? — I’m guessing not.
Here’s what Google Instant is currently offering up:
Hmm, “antivirus for mac” — very interesting.
You know, maybe it’s time for Apple to adjust its “security culture”?
Let’s do some more searches. Here’s what you’ll get from apple.com when you search for “security updates”:
Marketing material. Typical. Oh, support info is on the right-hand side. Alright, fair enough then, security is a support issue.
Here’s what you’ll get from apple.com/support/ when you search for “security updates”:
The top result is from December of last year, and there are even older results below. But there does seem to be a mention of security updates inside the text. Opening the article finally links you to an index: Apple security updates.
The index shouldn’t be so difficult to find. And it’s kind of sad it needs to be in quotes to actually show up in the search results.
So let’s take a look at the most recent security update article:
At the very bottom of the page, there’s a section about Malware removal:
This is the definition of the word “summary” as provided by Google:
Not for nothing, but don’t you think its kind of lame that “malware removal” isn’t mentioned in the summary?
Now let’s search for something else.
Here’s something you’ll find if you search apple.com/support/ for “antivirus”:
Avoid harmful software? Gee, great tip. If this was 2009.
Internet downloads and email enclosures?
To be very frank, this advice was already behind the times when it was written in July 2012:
You just might want to get somebody to update that article with a mention of “exploits” and “drive-by attacks” and “watering holes” and… oh, you know, relevant stuff.
Look, here’s the thing. Eleven years ago, Internet worms smacked around Windows so much — it ended up being a real wake up call. At which point, Microsoft made a big, and successful, effort to change its security culture.
Here’s your corporate line:
“For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”
Here’s the problem.
Apple not only refuses to confirm issues “until” patches are available — it doesn’t even discuss them after the fact.
And why is that a problem?
Because we don’t live in an era of Internet worms anymore. This is an era of Internet hacks! And information is valuable in that it allows for organizations with a large Mac user base to make informed threat assessments.
And the more Apple shares with the community, the better off everybody will be.
So please, consider making a change in Apple’s culture of secrecy and denial.
You have talented, and friendly, security response analysts working for you. Why not highlight their efforts? Consider putting them front and center and applaud them for their good work. Own this problem, get in front of it.
Because it’s the right thing to do.
Security Advisor, F-Secure Labs
On 27/02/13 At 01:22 PM