In a move that could backfire, according to one security expert, Apple pulled out of a prominent hackers' convention taking place this week in Las Vegas.
Apple abruptly canceled what would have been its first appearance at Black Hat, an annual event in Las Vegas that features presentations from the world's most preeminent security researchers – a.k.a. hackers – according to Computerworld. Speakers typically highlight security shortcomings in a number of different technologies, including operating systems, e-mail and the Internet itself. Taking one's lumps at Black Hat is a rite* of passage in a technology's security evolution, as companies like Microsoft and networking equipment maker Cisco will attest.
Thanks to this move and a few other gestures of ill will toward its customers (such as dropping the price of the iPhone last year shortly after many had purchased one), says Herbert "Hugh" Thompson, chief security strategist at New York software security firm People Security, "Apple's shield of being a charmed company could be lifting." Hackers could take offense at the move and start turning their attention to the security flaws in the company's computers, software and cell phones, Thompson says.
As leaders in the software and networking markets, respectively, Microsoft and Cisco attract attention because hackers who develop attacks against these companies' products affect the most people. "Risk, in an operating systems in particular, is a function of how vulnerable you are and how much people want to attack you," Thompson says. Apple's products, in particular its QuickTime Internet media player, are not more secure than these high profile targets, but the public's sentiment has always been in their favor. "The damage is going to come now," he adds, "as people speculate as to why (they pulled out of Black Hat) and start disparaging them."
Black Hat Founder and Director Jeff Moss told Computerworld, that Apple's marketing department "got wind of" the company's planned appearance. "Nobody at Apple is ever allowed to speak publicly about anything without marketing approval," he said. The company's presentation was supposed to be "them talking about security engineering and how they take security seriously."
Apple had set unusual conditions for speaking at the event: They wouldn't have to answer questions from the audience. Apple's canceled session was titled "Meet the Apple Security Experts," according to CRN magazine, which reported Moss as saying, "We had a lot of people from government agencies saying they'd love to know more about the security engineers at Apple, because it's such an opaque company." It seems the company will remain opaque, at least for now.
Apple's already starting to look a bit bruised. Petko Petkov, founder of security research firm GNUCITIZEN, said in the description on the Black Hat Web site of his presentation today that he planned to expose a flaw in Apple QuickTime running on the Windows operating system that Apple has yet to repair (a situation known as a "zero-day" bug), which means that hackers could immediate start attacking it. "If Apple responds before the event," he wrote, "I will drop the details of a QuickTime 0day for Windows Vista and XP." ScientificAmerican.com was unable to reach anyone who knew whether Petkov had gone through with his plans.
This wouldn’t be the first time that hackers have tried to teach Apple the lesson that it should be more open with the security flaws in its products. Two hackers early last year created the "Month of Apple Bugs" project that made public a stream of security flaws in Apple's products, including the Mac OS X operating system and iChat instant messaging software.
Apple's strategy of tightly controlling its iPhone (it runs only on the AT&T wireless network) led to New Jersey teen George Hotz posting on YouTube a technique for modifying the iPhone so it can run over other wireless networks as well. This technique was not widely adopted, but it showed what happens when someone with technical skills sets their mind to picking apart Apple's technology.
Apple's absence from Black Hat had a bit of a ripple effect. Upon finding out of Apple's plans to cancel their presentation, security consultant Charles Edge was forced last month to withdraw a session he had proposed to Black Hat organizers about flaws in Apple's FileVault encryption software, citing confidentiality agreements he had signed with the company, according to the Washington Post.
The hacker community's relentless drive to break the technology in which companies invest millions of dollars is at times sated by a good will gesture from those companies. Microsoft learned this lesson after years of battling with security researchers over flaws in its products. Since 2003 the company has held biannual BlueHat security conferences, during which Microsoft invites prominent security researchers to its offices to discuss flaws in Microsoft products.
Thompson predicts that, if Apple doesn't learn from its mistakes the way Microsoft did, the company will start "losing that grace that customers had given them for a really long time because they have cool products. The haze is starting to lift and people are starting to ask more questions."
(Image courtesy of iStockphoto)
* corrected from earlier version