The Macalope: An Apple blog

File Vault flaw fling fizzles. Fruit-themed firm at fault.

Unless you're too busy doing the rickrolling that's so popular with the kids these days, you probably saw that a MacBook Air got hacked at CanSecWest last week.

In a repeat of last year's "PWN 2 Own" contest, organizers this time offered three different laptops running three different operating systems.

David Maynor says:

I hope this puts to rest the myth that OSX is more secure but I am sure the zealots will have a million reasons why this is a fixed or rigged contest.

Well, the Macalope for one has already acceded to his contention that Vista is more secure based on the technical merits, if not the practical ones. So the brown and furry one's not really sure what he's on about. But he's sure David will find a Slashdot comment somewhere that will validate his Artie MacStrawmanism.

There's certainly no denying that, as ZDNet's Larry Dignan says (no "Mac zealot" he), the MacBook Air was certainly the more coveted target:

[The Fujitsu running Vista and the Sony Vaio running Ubuntu] are still standing, but that may be because there's more hacker glory in taking down the MacBook Air.

Plus, you hack it, you keep it. So, sure, everyone's trying to hack the Air. (The Vista laptop was later hacked, but only after the rules were relaxed.)

But putting it all down to the Air metaphorically having a big red X painted on it is ultimately just sour grapes -- it got compromised, and that's a frowny face in the Apple column.

So the Macalope will reiterate his call -- again! -- to Apple to get more serious on security.

There are several reasons these security "professionals" are spending their waking and non-waking hours targeting Macs.

First, they're lashing out at what they think is a "smug attitude" by Apple on security. Frankly, Apple's corporate position on security is so lame that the only thing these people are basing this on is the "Get a Mac" ads. Yes, really. These people have the emotional maturity of a cup of fruit salad. That's all territory we've covered already.

Second, thanks to the resurgence of Apple, most of them have only just discovered the Mac. It's virgin territory for them and, like when Columbus "discovered" the New World, their first inclinations is to immediately start shooting the natives and giving them all kinds of horrid diseases.

Third, Apple simply has not implemented a comprehensive security policy (see: Leopard firewall, Back To My Mac defaults). It may very well be that it's easier to exploit certain vectors on the Mac. The Macalope's not qualified to make that call.

Finally -- and this is the issue that would the easiest for Apple to solve -- the members of the hacker community just don't know anyone at Apple. They know people at Microsoft because the company shmoozes the hell out of them.

If it wanted to, Apple could probably make serious inroads to this community and at least reduce its PR problem by hiring someone they know. Now, many of these people are not exactly the corporate citizen type. They often dress and smell funny and, if you've been paying attention, have the emotional maturity of a cup of fruit salad. So maybe Apple would want to poach someone from Microsoft or look to those who write about security -- your Rich Mogulls, your Ryan Naraines -- and tap someone like that. Sure, journalists still dress funny, but they fare slightly better on the olfactory and fruit salad scales.

See, the easiest thing in the world to do is to get someone who will take these people golfing and tell them "Dude, we are totally going to do that. Next release. I swear."

"Now watch this drive."

The company could defuse a large part of this without changing a line of code because it's less about the relative merits of the various platforms -- which are valid concerns -- than it is about emotion (see: salad, fruit).

And, really, this is exactly the kind of game that Apple has gotten wrong for 30 years. Shmoozing is not exactly the company's forté (just ask any Apple developer how the lunches are at WWDC).

The Macalope certainly wants to see Apple come up with a comprehensive strategy for implementing sound security in its software, he's just saying that there's more than one aspect to this issue. One requires coding, the other requires grease.

Several of the Macalope's astute and sexually dynamic readers asked him to hit this piece by Lance Ulanoff which essentially says Artie MacStrawman is teh stoopid and don't know nothin' 'bout no Intramanet suckurity.

Well, there's only so much jackassery even this mythical beast can take down, so he's going to punt this one to MacUser's Dan Moren, who able handles the task. While the horny one wouldn't recommend anyone buy a Norton product, he thinks Dan's emphasis on, oh, you know, not wildly clicking on every URL that the former aides to a Namibian president send across your transom is spot on.

Sometimes it seems that ZDNet drives around in big vans, catches those prone to willful obtuseness with nets and takes them immediately to its headquarters where they're each given a blog.

This time ZDNet's David Berlind is hot on the trail of the hideous secret behind Apple's requirement that iPhones be purchased with a credit card.

And he's got a camera. The Macalope just bets Apple sales associates and holiday shoppers alike were just thrilled to see him coming.

"Oh, hell, Mabel, it's another one o' them ZDNet bloggers. Maybe we should head over to the food court until he clears out."

In fairness to Berlind, it does appear that he was sensitive to the length of the line behind him. But does he really need a camera crew for this? This isn't exactly and episode of To Catch A Predator. He hasn't even posted the video and the Macalope is perfectly willing to concede that everything he says happened did, in fact, happen. Do we really need to see all the annoyed glares and exasperated sighs of those around him?

As you can see in the video, I asked the clerk as well as a manager for some explanation of the policy and all they would tell me is that it's just the company's policy. There was no explanation.

It is truly shocking that Apple retail sales associates are somewhat reticent to accuse walk-in customers -- particularly ones with video cameras pointed at them -- of wanting to resell its products for a markup. Or get into an argument with well-gelled ZDNet bloggers over it.

Berlind then grandly comes to the realization that, well, the rest of us came to over a month ago. [UPDATE: The Macalope mistakenly thought this was a recent piece as it was included in one of ZDNet's daily emails, however it was written in early November. So, Berlind was only a week behind the curve instead of over a month.]

You don't have to be a rocket scientist to connect the dots. Apple has relationships that its contractually bound to protect and must do whatever it can to eliminate the gray market.

No, you certainly don't have to be a rocket scientist. You just have to have a fourth grade reading level and access to teh Googles because back in October Engadget quoted an Apple spokesperson saying the reason was "to discourage unauthorized resellers".

What really has Berlind's stylish taupe suit pants in a bind is the insinuation by an Apple retail associate that the company could use your name and credit card number to determine how many iPhones you'd purchased.

When I went back (we don't have this part on video), I asked for the same manager. But this time, a woman came out and I told her that the first manager I was dealing with had offered to look something up. Before I could finish, she said "Your name." She went on to explain that I was only allowed to buy a maximum of two iPhones and that, if they could determine with some confidence that I had not already reached that quota, that they could sell me one for cash.

Why is this a problem according to Berlind? After talking to some Visa contacts, he believes Apple may be in violation of the PCI DSS, a credit card industry standard for maintaining data security.

Berlind describes the PCI DSS thusly:

As far as I can tell, the standard policy potentially yields two important results. First, it protects the privacy of cardholders. Second, it helps merchants and card issuers manage risk. It does this by spelling out in fairly detailed terms what can and can't be done with the information that's retrieved off a credit card's magnetic stripe and the lengths to which IT systems must go to protect data (eg: it talks about firewalls, encyrption, etc.).

The Macalope is not a lawyer or an information security expert (although he has dealt with information security issues in the financial industry), but he read through the PCI DSS (you can click through the summary to get a PDF of the detail -- it's riveting) and he thinks Berlind's reading (assuming he read it and didn't just rely solely on the summary he got from someone at Visa) is off here. From the brown and furry one's reading, the PCI DSS is almost solely concerned with physical and logical security and restricting access to "those with a need to know". It tells companies what they must do to protect customer data, but says almost nothing about what the company itself can do with the data.

There may very well be other legislation and requirements that restrict the types of lookups Berlind is concerned with, but the PCI DSS doesn't appear to be one of them.

Berlind's point is that Apple has to tie a customer name to a credit card number to get a valid key to figuring out whether or not someone has previously purchased an iPhone. It's also possible, however, to do that with just the last four digits of the credit card number. That may not be any better from the perspective of someone concerned about Steve Jobs sitting in his super-secret lair beneath an island volcano and poring over customers' purchases -- "Aha! He has an iPhone and likes Pushing Daisies! I have you now!" -- but it might be enough to obviate the credit card companies' concerns over storing personal account numbers.

Heck, they print that much on your receipt when you buy a pecan log roll at Stuckey's.

While the PCI DSS documentation is vague about what data can be retained by a merchant and for how long, the explanation I got made it clear that if Apple is using credit card numbers for reasons other than completing monetary transactions ? in other words, if Apple is using credit card numbers for the purpose of tracking (as seems to be the case here) ? that Apple might not only be in violation of PCI DSS, it could also be breaking some laws (some of which are based on PCI DSS) as well as breaching the terms of its agreements with card issuers and credit card companies such as Visa, MasterCard, and American express (who, as you can see by the fines that Visa levied against TJX for the "worst data breach in the payment industry's history," guard the privacy of cardholders with relatively bloodthirsty lawyers).

It's funny that Berlind would mention the TJX case as it involves data security lapses by the company that led to hackers acquiring card numbers. It doesn't allege that the company itself was misusing customer data, but that it allowed others access to it.

[UPDATE: it's even funnier considering it looks like the TJX case just fizzled.]

My educated guess is that Apple's practices have kicked off a shitstorm of an inquisition in the credit card industry that has lawyers on both sides poring through the PCI DSS documentation, merchant contracts, and state/federal laws and that this isn't the last we will hear of this.

Again, from the Macalope's inexpert (but also educated) reading, Apple could satisfy every one of the PCI DSS requirements and still allow someone with the proper access controls -- like a store manager -- to view your purchase history. Maybe there's some other requirement Apple's in violation of here, but Berlind seems to be barking up a stump rather than a tree.

ADDENDUM: Commenter qengho points out:

You forgot to point out that he has no evidence that they've retained his CC number in the first place. The manager retrieved his info by asking for his name, and he goes on to say "But then comes the question of whether they are retaining your credit card number as well. How could they not?"

In other words, he pulled that supposition out of his ass and THEN went a rampage.

Including calling Visa and throwing around loose charges of violating laws he doesn't actually cite. Remember, you can't spell "supposition" without many of the same letters it takes to spell "suppository".

David Maynor responds to the Macalope's post below.

To start with, lets [sic] settle that dydl isn't a library so Apple's ASLR implementation is just peachy thread in his comments section.

That's a misreading or misrepresentation of the discussion in the comments section. The point was whether or not, as Maynor said, Apple lied about its implementation of ASLR. The Macalope's seen no evidence they lied about it. He's not happy with the way it's portrayed in the Leopard materials, but it's not a lie.

But contrary to Maynor's contention, the Macalope and even the commenter in the post below are not arguing that Apple's implementation of ASLR is "just peachy". It's not. It's better than no implementation of ASLR, but not much.

If somebody says Microsoft did something right they must be bribed.

OK, fine. The Macalope doesn't know the particulars of Maynor's relationship with Microsoft. But the company has pretty much plied everyone on the planet with free drink and food (that was the extent of the brown and furry one's insinuation, not that any cash passed hands) at some point, so that was not much of a stretch. The Macalope himself fondly remembers a free lobster shindig he attended in Boston some years ago sponsored by the great Satan from the Pacific Northwest.

Did the mythical beast with a head shaped like a classic Macintosh partake of Bill Gates' forbidden seafood temptation?

Hell, yes. As a matter of fact, he not only ate the two lobsters that were his due, he ate another one off the plate of a friend.

For a ruminant from the high mountain plains, the Macalope sure loves him some lobster.

But frankly -- and the horny one actually had a sentence about this in the previous post that he edited out for brevity -- despite the ethical concerns, he wishes Apple played this game better. A few cozy keggers with people in the security biz couldn't hurt.

Sorry, that's not the case...

You've never been to a Microsoft-sponsored shindig? Really? You should get out more. There's probably one just down the block from you going on right now.

... I just think some simple things they have done will increase the overall reliability and safety of their applications.

It's true. After forcing their customers to become experts in repeatedly reinstalling the company's operating system to get rid of malware (the Macalope knows people who brag about how fast they can get their XP systems up and running again), Microsoft has made an operating system that is more secure.

Which has not yet achieved wide-spread adoption.

And this is the problem. In some perfect sphere of Platonic logic somewhere, Windows users have a more secure operating system experience. Here in reality, however, it's still Mac users.

For now.

You see Apple's problem in security is not the technology. OSX has a great pedigree with its FreeBSD ties and all these problems previously mentioned are fixable. The problem I see with OS is Apple. Unless I am mistaken the Apple Security team if 4-5 people, or at least it was last year at this time. That is like having one police officer patrol New York City, its ridiculous.

But Apple doesn't live in New York City, David. It lives in Newton Massachusetts. Yes, there have been a few break ins and people are concerned that the place could get turned into Flint Michigan some day if Apple's not careful, but today that's not the case.

A commenter in Maynor's thread notes that there are at least 7 people on Apple's security team. The Macalope has no idea how many people is enough, but he likes Maynor's suggestion that Apple appoint a chief security officer, because the Leopard implementation of several items -- particularly turning off the firewall -- reeks of security just not being anyone's responsibility there.

David Maynor is back on his Apple security hobby horse and rocking it faster than a 5-year-old hopped up on pre-holiday candy canes. Despite his usual over-the-top Apple invective, he makes some valid points and provides some helpful information for people using QuickTime on Windows.

Apple announced ASLR as a feature in their latest version of the operating system, Mac OS X 10.5 (TigerLeopard). However, Apple largely lied.

You might be surprised to hear the Macalope agree with Maynor, but he's right. OK, maybe [See update below] "lied" is too strong, but they certainly misrepresented it.

Read the OS X Leopard Security Technology Brief (PDF).

In Leopard, libraries are loaded into random addresses when the system is installed and at any time that library prebinding is updated on the system (typically after system software updates, though you can manually force an update by running the "update_dyld_shared_cache -force" command).

Now read Thomas Ptacek's roundup of Leopard security features.

The dynamic linker library (dyld) is not randomized. From what I can tell, ten different Leopard macs booted at ten different times will have the same offset to dyld.

You care because dyld is full of useful functionality. Like, dynamically linking new libraries into memory, or recovering the base addresses for existing libraries.

Clearly, not all libraries are randomized and it's hard to take Apple's documentation any other way than saying that all of them are. [UPDATE: As a commenter points out, dyld is not a library itself. It's the pathway to libraries. So, yes, libraries are randomized, but that doesn't mean much if dyld isn't. It's like being in the witness protection program and having the government move you to an undisclosed location and then updating your address on Facebook so all your friends will know where you are!]

Microsoft has impressed the security community with its dedication to secure coding practice.

The Macalope suspects that the free keggers the company throws for security professionals and, well, everyone and their alcoholic mother don't hurt, either. And it's great that after years of making their users take it in the shorts on security by making them easy victims to, you know, actual real-world malware, that Microsoft can make bygones be bygones with security pros by tossing them some free shrimp like the barking seals that they are and then delivering a new OS with some good security features that sadly not that many people are taking advantage of because the cost in time, effort and cold, hard cash to upgrade from XP still often comes out to a losing proposition.

But the Macalope readily admits that Apple has rested on some comfortable security laurels and for every step forward they've made there's been a half a step back.

Installing Apple code on a Microsoft Vista system will make that system unsafe. Since these QuickTime vulnerabilities are equally exploitable on both Vista and Mac OS X 10.5, the fans might conclude that both operating systems are equally safe. This is not true, Vista is vastly more secure than the Macintosh.

"Vastly" is debatable. The structure is there, Apple just needs to implement it properly. Many of the items Ptacek points out are user-correctible. Apple could be just a dot release away from fixing them if it wanted to.

Apple's only advantage over Microsoft is their small market share, which means hackers are less interested in them. However, as hackers are having a harder time cracking Vista, they are getting more interested in the Mac, and we are seeing more exploits and more malware targeting Apple users.

This isn't yet a problem thanks to the legacy installs of XP and previous versions of Windows, but it will become more true as more Windows users inevitably adopt Vista (or move to the Mac or Linux). The situation is helped along, of course, by so-called security "professionals" who -- either because they love those Microsoft-sponsored security conferences or because they just really, really hate that "I'm a Mac" guy! -- are all too willing to yell "Look over there!"

Does the computer security industry ever strike you like a protection racket? "Nice operating system you have here. It'd be a shame if something were to happen to it."

Apple seems to be making some of the right moves, but not in a comprehensive manner. The Macalope would rather 2008 were not the year of the great Mac security epidemic.

Matasano Security's Thomas Ptacek provides an excellent run-down of Leopard's new security features (tip o' the antlers to Ryan Naraine). Remember what the Macalope said a couple of weeks ago?

We can argue whether these are the right measures to be taken or how effectively they're being implemented, but this is still good news.

Well, a funny thing happened on the way to implementing Leopard's new security features...

Some of it's good, but much of it's bad or at least disappointing that Apple did not implement the features in a more robust method.

It's some good news (well, sort of...) that several of the problems are with default settings and users can quickly correct them, but turning off your firewall even on an upgrade? Sheesh. That's like paying a contractor to renovate your house while you're out of town and you come home and find all the doors and windows open and when you say, "Hey! Goober! What gives?!" he says "Oh, I just wanted to make it easy for you to get in when you got home."

Jim Thompson via email gives us a good pre-Halloween scare.

First, Engadget reports that Elcomsoft has filed a patent for a way to leverage a computer's graphical processing unit to crack passwords in a couple of days instead of months.

And if that's not enough to make you hurl your candy, Jim notes, think about what the bot army will be able to do with this.

Thanks, Jim! Yeah, uh, thanks a lot.

Please pardon the Macalope as he quickly changes all of his online banking passwords to 142-character strings filled with random letters, numbers and punctuation marks.

Maybe crazy old uncle Mortimer wasn't so crazy in 1999 when he said he'd rather keep his pension in the mattress than put it in online banking.

Now he's just crazy for eating all that dog food.

Back in February, the Macalope asked Apple to take security more seriously.

Today Ryan Naraine reports that Apple is doing just that and points to several key technologies that David Maynor said made Vista more secure than OS X -- such as ASLR -- that will be included in Leopard.

This, along with Steve Jobs' statement concerning the security protocol that will be included in the iPhone SDK, show that Apple is taking security seriously. We can argue whether these are the right measures to be taken or how effectively they're being implemented, but this is still good news.

If you're wondering where the snark is in this post, there really isn't any. But don't worry, the Macalope's working on an Enderle piece that should fulfill your USDA daily recommended dose of snark. Oh, Rob. The Macalope could never quit you.