Apple's first Black Hat presentation was one of the most highly anticipated talks at this year's infosec gathering in Las Vegas, but many delegates were left feeling more than a little short-changed. The conference space for the presentation began filling up early, before the day's keynote with Neal Stephenson had even …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 27th July 2012 07:37 GMT Anonymous Coward

So let me get this straight

Apple turned up

Everyone was expecting them to deliver the next coming of christ.

They then talked about something 6 months old

refused to asnwer questions

and lef thte community annoyed.

Seems like regular apple behavior to me.

19 2
1. Friday 27th July 2012 07:45 GMT Anonymous Coward
  
  Time traveller?
  
  "May" was 6 months ago?
  
  3 2
  1. Friday 27th July 2012 08:32 GMT Ben Tasker
    
    Re: Time traveller?
    
    Must have the iPhone calendar
    
    3 2
    1. Friday 27th July 2012 09:39 GMT Anonymous Coward
      
      Nah, it's a rounding error
      
      as he used the Android calculator.
      
      http://www.youtube.com/watch?v=ys9fXQaQDac
      
      4 0
Friday 27th July 2012 08:01 GMT Anonymous Coward

What did anyone expect.

Apple kit is immune to ALL attacks and malware, END OF.

Bye and thanks for coming.

2 1
Friday 27th July 2012 08:44 GMT Destroy All Monsters

So they cut some corners? There is patent for that!

Additionally:

"Each A5 processor has a unique identifier that is fused into the chip which cannot be changed and this is used to authenticate the device with software."

So when Intel does it, hell breaks loose, but with Apple it's all right? Very well, then.

25 1
1. Friday 27th July 2012 10:19 GMT Barticus
  
  Re: So they cut some corners? There is patent for that!
  
  Shirley that should be 'rounded' some corners?
  
  8 1
2. Friday 27th July 2012 12:48 GMT Gordon Fecyk
  
  Double Standards Again
  
  So when Intel does it, hell breaks loose, but with Apple it's all right?
  
  That's right.
  
  0 4
3. Friday 27th July 2012 13:09 GMT Armando 123
  
  Re: So they cut some corners? There is patent for that!
  
  Partly, I suspect, because Apple is selling a device, not something to be embedded in a device by others and which others MUST buy without a choice.
  
  0 1
Friday 27th July 2012 08:49 GMT g e

Perhaps the speech

Reflects how much they actually know about dealing with security, experientially, rather than what the marketing dept says.

At least MS has a lot of experience ;o)

9 2
1. Friday 27th July 2012 10:20 GMT Anonymous Coward
  
  Rich coming from you g e
  
  IOS full device encryption: 2009 (iPhone 3GS)
  
  Android full device encryption: 2011 (Galaxy Nexus)
  
  iOS kernel ASLR: March 2011 (iOS 4.3)
  
  Android kernel ASLR: June 2012 (Jelly Bean)
  
  Perhaps you should guide your comment to the developer of your platform of choice.
  
  4 7
  1. Friday 27th July 2012 11:29 GMT DJ Smiley
    
    Re: Rich coming from you g e
    
    IOS full device encryption: 2009 (iPhone 3GS) <- 2 years -> iOS kernel ASLR: March 2011 (iOS 4.3)
    
    Android full device encryption: 2011 (Galaxy Nexus) <- 1 year -> Android kernel ASLR: June 2012 (Jelly Bean)
    
    I rest my case.
    
    2 4
    1. Friday 27th July 2012 14:22 GMT Silverburn
      
      Re: Rich coming from you g e @DJ
      
      ..and that's better than having ASLR actually running on the product earlier...how, exactly?
      
      How long it takes is irrelevant - what counts is *when* it's actually running on consumer devices.
      
      And even then, Jun 2012 is only on Nexus devices...other consumers will need to wait even longer until their vendor releases it. So actually it's 1 year...*and still counting*.
      
      1 2
  2. Saturday 28th July 2012 14:00 GMT Daniel B.
    
    Only an iZombie...
    
    Only an iZombie would think that Android is the only other smartphone platform out there. Full device encryption on Blackberry predates both of those, and has been built with security from the ground up sonce day one.
    
    Which was years before either platform was even in the drawing board.
    
    Maybe that's why BB has FIPS certification and the iSlab doesn't ... Those certs take years to get...
    
    2 0
    1. Monday 30th July 2012 08:49 GMT multipharious
      
      Re: Only an iZombie...
      
      That's correct, the BlackBerry devices are pretty complete using AES 256 encryption and transmission security, but the little image exploit on the BES (server side) allowed remote code execution. This earned this one a CVSS 10 rating. Search RIM KB27244. A successful attack on that vuln could lead to DoS, malware installation, or elevation of privileges.
      
      (fix provided in Aug 2011)
      
      0 0
Friday 27th July 2012 09:43 GMT Mika Peltokorpi

Ouch

The info Apple presented according to this news sounds like something, you can hear in 1st half day of basic training for secure coding. I suppose Black Hat is not right venue for this kind of briefing.

For example already the early Pentium processors had unique ID, even Intel did not admit it back then (among couple of other secret features/registers). So, after 20 years this should be a SOP for any secure platform.

4 0
1. Saturday 28th July 2012 04:47 GMT Paul Crawford
  
  Re: Ouch
  
  Do you really want all of your data locked to the CPU, so if your machine dies and you swap the disk to another it is all unreadable?
  
  At least with an iPad there is no real expectation of recovering data/physically upgrading if it has failed (or stolen, as likely), and their whole software model is based on cloud backup.
  
  And yes, you probably should have a backup of your PC but we all know how easy and regularly done that is...and how successfully and well tested the restore process is...
  
  1 0
Friday 27th July 2012 10:38 GMT Dan 55

"all unnecessary tools removed and no remote login support or shell"

Well really? Apple are at the cutting edge of security here, no-one else has thought of that.

5 1
Friday 27th July 2012 10:46 GMT Anonymous Coward

What did they expect?

I would have thought that one of the cardinal rules of security is secrecy. You don't publish how you do it? Can you imagine the Abwehr or Wehrmacht telling all how enigma worked?

1 4
1. Friday 27th July 2012 10:53 GMT Anonymous Coward
  
  Re: What did they expect?
  
  You're right and the proof is it works quite well for the security services, e.g. MI5 and MI6. Considering the number of potential risks their failure rate is exceptional.
  
  Can you imagine if they went to conferences revealing to world+dog what they do?
  
  1 1
2. Friday 27th July 2012 10:54 GMT ThomH
  
  Re: What did they expect?
  
  Quite the contrary; one of the cardinal rules of the security industry is that security by obscurity doesn't work.
  
  8 1
  1. Friday 27th July 2012 12:31 GMT PatientOne
    
    Re: What did they expect?
    
    @ThomH
    
    There is a huge difference between obscurity and secret security.
    
    Security by Obscurity is relying on people not knowing of a thing to keep it safe. For example, I have an Admin screen that can be accessed via a web browser. I don't tell anyone it exists (obscurity) but if they found out, then they could use it with impunity.
    
    Keeping secret what security I have in place isn't the same. For example, my Admin screen has a security check on it that looks at who access it, logs the access and hides functions dependent on the permissions granted to that user. The User doesn't know any security has been applied, or how it has been applied: It's secret (and being server side, very difficult to detect).
    
    Having a hidden ID on a chip that is used as part of a security check is still security. Someone may try to fake the ID and fool systems (much as they do with MAC addresses), but it still remains a method of security. Had they put a remote access mechanism in, and hoped that not telling anyone about it would keep it secure: That's what we're warned against as it simply doesn't work.
    
    1 0
3. Friday 27th July 2012 10:57 GMT 404
  
  Fortunately...
  
  You don't have to commandeer an Apple iSubmarine to get a copy of the hardware/software...
  
  ;)
  
  1 0
4. Friday 27th July 2012 11:14 GMT Anonymous Coward
  
  Re: What did they expect?
  
  "Can you imagine the Abwehr or Wehrmacht telling all how enigma worked?"
  
  If they had, maybe someone would have pointed out the potential problems that could be exploited by an enemy? As it was they assumed it was perfect and never doubted the security of Enigma.
  
  Secrecy has nothing to do with encryption; encryption is all about having a reliable process that's been scrutinized by enough smart people to explore the limitations and possible exploits.
  
  3 0
  1. Friday 27th July 2012 13:18 GMT My Alter Ego
    
    Re: What did they expect?
    
    Much of the cryptography was done by taking advantage of the Germans putting requirements on the rotor configuration which actually reduced the number of combinations available. That and the fact that the U-boats would radio in weather reports in an identical format which were great for generating crib sheets.
    
    0 0
5. Friday 27th July 2012 11:21 GMT Scott Wheeler
  
  Re: What did they expect?
  
  > Can you imagine the Abwehr or Wehrmacht telling all how enigma worked?
  
  How Enigma worked was not a secret. Three-rotor machines were sold for commercial use prior to the war.
  
  5 0
6. Friday 27th July 2012 13:54 GMT Anonymous Coward
  
  Re: What did they expect?
  
  The guys at Bletchley knew how the enigma worked, they still had to bruce force it to decrypt the messages. To help them with the repetitive part of the process, they built the bombe machine.
  
  The other machine, Colossus, was built to decrypt the Lorenz SZ40/42 machines. The guys who built this had never seen the Lorenz device or knew how it worked or even what it was called, an amazing piece of engineer and skill. Critical errors made by radio operators allowed the encryption to be understood and broken. The existance of the Colossus machine(s) was kept secret well beyond the war (70s?), even when other nations had announced they had cracked the encryption, Britain having this capability during the Second World War was a very well kept secret.
  
  Keeping the Lorenz machine secret did not stop the Bretchley Park heroes for doing their job and shorting the war, however Britain likely gained advantage from keeping the Colossus machine quiet.
  
  0 0
7. Friday 27th July 2012 15:14 GMT Jordan Davenport
  
  Re: What did they expect?
  
  @AC 10:46: I presume you've never heard of Kerckhoffs's principle. You might want to read about it.
  
  Here's a Wikipedia link to start you off: http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
  
  0 0
Friday 27th July 2012 11:27 GMT Anonymous Coward

Really?

"...De Atley explained how Apple has combined hardware and software to reduce the risk of a successful hack. Each A5 processor has a unique identifier that is fused into the chip which cannot be changed and this is used to authenticate the device with software...."

What would people say if MS did anything like this?

1 2
1. Friday 27th July 2012 11:54 GMT Steve Knox
  
  Re: Really?
  
  They'd say "Microsoft is in the chip business now?"
  
  4 0
Friday 27th July 2012 20:11 GMT gujiguju

Blinders

Whatever your pre-bias about Apple may be...give them credit where due.

They've designed a quite secure mobile ecosystem from day-one. It's not perfect, but they evolve...and quite rapidly (unlike other vendors we can indict that have been sloth-like. Note also how many person-decades those others have wasted on tech support disaster mgmt for us, for our family, friends, and colleagues).

They've utterly dominated the mobile industry profit-wise and don't seem to relent or relax (again, unlike others that go on 5-year hiatus until their monopoly-trapped customers have been immolated).

As others have mentioned, more info at Black Hat would've been great but they don't telegraph intentions and don't do FUD (unlike past IT history shows those others doing).

For a hint, Apple just bought AuthenTec, a fingerprint sensor firm.

(To those frothing at the mouth...no, Apple won't claim they invented fingerprint security, but it will likely be implemented delightfully in iOS 7 in the next 15 months. Just admit it and enjoy the ride -- and how the industry reaction will veer off to hysteria & desperation.)

1 1
1. Saturday 28th July 2012 14:18 GMT Daniel B.
  
  Re: Blinders
  
  Um...
  
  "They've designed a quite secure mobile ecosystem from day-one."
  
  Nope, the suff they're announcing is new; full-device crypto since 2009, but the iThingys have been out there for longer than that.
  
  There's another platform that *did* get built with security from the ground up, and it ain't Apple, it's BB. If Apple is going to get that distinctive, maybe Symbian should deserve is as well, even if they added it later?
  
  1 0
Tuesday 31st July 2012 08:37 GMT Anonymous Coward

What's the point of even showing up if all they do is regurgitate old news, and leave.... Seems like they were just tooting their own horn.

0 0