back to article Apple disappoints at first Black Hat briefing

Apple's first Black Hat presentation was one of the most highly anticipated talks at this year's infosec gathering in Las Vegas, but many delegates were left feeling more than a little short-changed. The conference space for the presentation began filling up early, before the day's keynote with Neal Stephenson had even finished …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

So let me get this straight

Apple turned up

Everyone was expecting them to deliver the next coming of christ.

They then talked about something 6 months old

refused to asnwer questions

and lef thte community annoyed.

Seems like regular apple behavior to me.

19
2
Anonymous Coward

Time traveller?

"May" was 6 months ago?

3
2
Silver badge
Joke

Re: Time traveller?

Must have the iPhone calendar

3
2
Anonymous Coward

Nah, it's a rounding error

as he used the Android calculator.

http://www.youtube.com/watch?v=ys9fXQaQDac

4
0
Silver badge
Joke

What did anyone expect.

Apple kit is immune to ALL attacks and malware, END OF.

Bye and thanks for coming.

2
1
Silver badge
Trollface

So they cut some corners? There is patent for that!

Additionally:

"Each A5 processor has a unique identifier that is fused into the chip which cannot be changed and this is used to authenticate the device with software."

So when Intel does it, hell breaks loose, but with Apple it's all right? Very well, then.

25
1
Joke

Re: So they cut some corners? There is patent for that!

Shirley that should be 'rounded' some corners?

8
1
Big Brother

Double Standards Again

So when Intel does it, hell breaks loose, but with Apple it's all right?

That's right.

0
4

Re: So they cut some corners? There is patent for that!

Partly, I suspect, because Apple is selling a device, not something to be embedded in a device by others and which others MUST buy without a choice.

0
1
g e
Silver badge
Facepalm

Perhaps the speech

Reflects how much they actually know about dealing with security, experientially, rather than what the marketing dept says.

At least MS has a lot of experience ;o)

9
2
Anonymous Coward

Rich coming from you g e

IOS full device encryption: 2009 (iPhone 3GS)

Android full device encryption: 2011 (Galaxy Nexus)

iOS kernel ASLR: March 2011 (iOS 4.3)

Android kernel ASLR: June 2012 (Jelly Bean)

Perhaps you should guide your comment to the developer of your platform of choice.

4
7

Re: Rich coming from you g e

IOS full device encryption: 2009 (iPhone 3GS) <- 2 years -> iOS kernel ASLR: March 2011 (iOS 4.3)

Android full device encryption: 2011 (Galaxy Nexus) <- 1 year -> Android kernel ASLR: June 2012 (Jelly Bean)

I rest my case.

2
4
Thumb Down

Re: Rich coming from you g e @DJ

..and that's better than having ASLR actually running on the product earlier...how, exactly?

How long it takes is irrelevant - what counts is *when* it's actually running on consumer devices.

And even then, Jun 2012 is only on Nexus devices...other consumers will need to wait even longer until their vendor releases it. So actually it's 1 year...*and still counting*.

1
2
Silver badge

Only an iZombie...

Only an iZombie would think that Android is the only other smartphone platform out there. Full device encryption on Blackberry predates both of those, and has been built with security from the ground up sonce day one.

Which was years before either platform was even in the drawing board.

Maybe that's why BB has FIPS certification and the iSlab doesn't ... Those certs take years to get...

2
0

Re: Only an iZombie...

That's correct, the BlackBerry devices are pretty complete using AES 256 encryption and transmission security, but the little image exploit on the BES (server side) allowed remote code execution. This earned this one a CVSS 10 rating. Search RIM KB27244. A successful attack on that vuln could lead to DoS, malware installation, or elevation of privileges.

(fix provided in Aug 2011)

0
0
Holmes

Ouch

The info Apple presented according to this news sounds like something, you can hear in 1st half day of basic training for secure coding. I suppose Black Hat is not right venue for this kind of briefing.

For example already the early Pentium processors had unique ID, even Intel did not admit it back then (among couple of other secret features/registers). So, after 20 years this should be a SOP for any secure platform.

4
0
Silver badge

Re: Ouch

Do you really want all of your data locked to the CPU, so if your machine dies and you swap the disk to another it is all unreadable?

At least with an iPad there is no real expectation of recovering data/physically upgrading if it has failed (or stolen, as likely), and their whole software model is based on cloud backup.

And yes, you probably should have a backup of your PC but we all know how easy and regularly done that is...and how successfully and well tested the restore process is...

1
0
Silver badge
Coffee/keyboard

"all unnecessary tools removed and no remote login support or shell"

Well really? Apple are at the cutting edge of security here, no-one else has thought of that.

5
1
Anonymous Coward

What did they expect?

I would have thought that one of the cardinal rules of security is secrecy. You don't publish how you do it? Can you imagine the Abwehr or Wehrmacht telling all how enigma worked?

1
4
Anonymous Coward

Re: What did they expect?

You're right and the proof is it works quite well for the security services, e.g. MI5 and MI6. Considering the number of potential risks their failure rate is exceptional.

Can you imagine if they went to conferences revealing to world+dog what they do?

1
1
Silver badge

Re: What did they expect?

Quite the contrary; one of the cardinal rules of the security industry is that security by obscurity doesn't work.

8
1
404
Bronze badge
Trollface

Fortunately...

You don't have to commandeer an Apple iSubmarine to get a copy of the hardware/software...

;)

1
0
Anonymous Coward

Re: What did they expect?

"Can you imagine the Abwehr or Wehrmacht telling all how enigma worked?"

If they had, maybe someone would have pointed out the potential problems that could be exploited by an enemy? As it was they assumed it was perfect and never doubted the security of Enigma.

Secrecy has nothing to do with encryption; encryption is all about having a reliable process that's been scrutinized by enough smart people to explore the limitations and possible exploits.

3
0
Headmaster

Re: What did they expect?

> Can you imagine the Abwehr or Wehrmacht telling all how enigma worked?

How Enigma worked was not a secret. Three-rotor machines were sold for commercial use prior to the war.

5
0

Re: What did they expect?

@ThomH

There is a huge difference between obscurity and secret security.

Security by Obscurity is relying on people not knowing of a thing to keep it safe. For example, I have an Admin screen that can be accessed via a web browser. I don't tell anyone it exists (obscurity) but if they found out, then they could use it with impunity.

Keeping secret what security I have in place isn't the same. For example, my Admin screen has a security check on it that looks at who access it, logs the access and hides functions dependent on the permissions granted to that user. The User doesn't know any security has been applied, or how it has been applied: It's secret (and being server side, very difficult to detect).

Having a hidden ID on a chip that is used as part of a security check is still security. Someone may try to fake the ID and fool systems (much as they do with MAC addresses), but it still remains a method of security. Had they put a remote access mechanism in, and hoped that not telling anyone about it would keep it secure: That's what we're warned against as it simply doesn't work.

1
0

Re: What did they expect?

Much of the cryptography was done by taking advantage of the Germans putting requirements on the rotor configuration which actually reduced the number of combinations available. That and the fact that the U-boats would radio in weather reports in an identical format which were great for generating crib sheets.

0
0
Anonymous Coward

Re: What did they expect?

The guys at Bletchley knew how the enigma worked, they still had to bruce force it to decrypt the messages. To help them with the repetitive part of the process, they built the bombe machine.

The other machine, Colossus, was built to decrypt the Lorenz SZ40/42 machines. The guys who built this had never seen the Lorenz device or knew how it worked or even what it was called, an amazing piece of engineer and skill. Critical errors made by radio operators allowed the encryption to be understood and broken. The existance of the Colossus machine(s) was kept secret well beyond the war (70s?), even when other nations had announced they had cracked the encryption, Britain having this capability during the Second World War was a very well kept secret.

Keeping the Lorenz machine secret did not stop the Bretchley Park heroes for doing their job and shorting the war, however Britain likely gained advantage from keeping the Colossus machine quiet.

0
0

Re: What did they expect?

@AC 10:46: I presume you've never heard of Kerckhoffs's principle. You might want to read about it.

Here's a Wikipedia link to start you off: http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

0
0
Anonymous Coward

Really?

"...De Atley explained how Apple has combined hardware and software to reduce the risk of a successful hack. Each A5 processor has a unique identifier that is fused into the chip which cannot be changed and this is used to authenticate the device with software...."

What would people say if MS did anything like this?

1
2
Silver badge
Facepalm

Re: Really?

They'd say "Microsoft is in the chip business now?"

4
0

Blinders

Whatever your pre-bias about Apple may be...give them credit where due.

They've designed a quite secure mobile ecosystem from day-one. It's not perfect, but they evolve...and quite rapidly (unlike other vendors we can indict that have been sloth-like. Note also how many person-decades those others have wasted on tech support disaster mgmt for us, for our family, friends, and colleagues).

They've utterly dominated the mobile industry profit-wise and don't seem to relent or relax (again, unlike others that go on 5-year hiatus until their monopoly-trapped customers have been immolated).

As others have mentioned, more info at Black Hat would've been great but they don't telegraph intentions and don't do FUD (unlike past IT history shows those others doing).

For a hint, Apple just bought AuthenTec, a fingerprint sensor firm.

(To those frothing at the mouth...no, Apple won't claim they invented fingerprint security, but it will likely be implemented delightfully in iOS 7 in the next 15 months. Just admit it and enjoy the ride -- and how the industry reaction will veer off to hysteria & desperation.)

1
1
Silver badge

Re: Blinders

Um...

"They've designed a quite secure mobile ecosystem from day-one."

Nope, the suff they're announcing is new; full-device crypto since 2009, but the iThingys have been out there for longer than that.

There's another platform that *did* get built with security from the ground up, and it ain't Apple, it's BB. If Apple is going to get that distinctive, maybe Symbian should deserve is as well, even if they added it later?

1
0
Anonymous Coward

What's the point of even showing up if all they do is regurgitate old news, and leave.... Seems like they were just tooting their own horn.

0
0
This topic is closed for new posts.

Forums