Apple.com/security

by Francois Joseph de Kermadec

Apple and Microsoft clearly have two different visions of what, exactly, security is all about. And the winner is not who I expected.

35 Comments

Mark
2006-02-18 14:12:32
I don't understand the logic.


In fact, none of this makes any sense at all. I hope you don't get paid for this stuff.

chris chapman
2006-02-18 14:54:32
Agreed - if posting anything at all at apple.com/security, they should at the VERY LEAST post guidelines or best practices for security when running MacOS X. Certainly not chest beatings stating how secure you are. How about links to security sites? How about security news - even covering the Windows world?? The comparison in and of itself would be enough of a sales pitch.
FJ
2006-02-18 15:01:10
Mark,


First of all, thanks for taking the time to share your thoughts.


My only goal here is to point at a discrepancy between the sites of two widely known and often contrasted companies. In my (of course humble) opinion, the current Apple site lacks pages that clearly explain the steps a user wishing to secure his machine and safeguard his information should take. My comparing it with the Microsoft site comes from the fact they are often criticized for their lenient view on security.


Admittedly, web sites and development talent have nothing in common, and my goal here is not to contrast operating systems or technologies but simply the means both companies use to communicate on that topic with their users.


That post is nothing more (and nothing less) than a starter for discussion. It does not pretend, in itself, to be a demonstration of anything.


If you cared to elaborate on your laconic comment, I would be most happy to discuss the matter with you.


FJ

Angus Hardie
2006-02-18 15:17:33
You may be interested to see this page. It's a new rss view for the apple mailing lists.
http://rss.lists.apple.com/


Usefully you can subscribe to the apple security list via rss


http://rss.lists.apple.com/security-announce.rss

someone2
2006-02-18 15:18:54
Totally waste of time, give me my 60 seconds back, jk. There will be changes in due time the admin has to have a life too you know
charles
2006-02-18 15:21:13
François, this is actually a good post and your point is prefectly reasonable. In fact, I hope Apple reads it.


Mark, you should elaborate, next time !


charles

FJ
2006-02-18 15:31:16
Angus,


That is extremely true. Thanks for passing that link along!


FJ

FJ
2006-02-18 15:32:41
Someone2,


JK? If you were addressing me, I do understand administrators cannot update websites in a snap and that every page needs to be carefully crafted and designed. Everybody needs sleep, a personal life and time for thought.


Writing security pages however should be, at least I hope, more than the work of one single person. Also, while the recent malware "outbreak" (notice the quotes) prompted my looking into the URL, I do not especially think such a page should be written as a reaction to an issue but would rather welcome its publication as a preventative measure.


FJ

Van
2006-02-18 16:49:36
Once upon a time, there was actually content here worth reading.
FJ
2006-02-18 16:54:21
Van,


Can I ask you to elaborate? Without knowing what you deem worth reading, it is slightly difficult for me to know how I could reshape my writings so that they are of more interest to you.


FJ

you don't care
2006-02-18 16:54:42
Welcome to the big security wurlitzer François. Another article heavy on inuendo with no real substance...
FJ
2006-02-18 17:01:31
You Don't Care,


Thanks for the warm welcome. I am afraid however I have to respectfully disagree. While you may deem that article devoid of substance, I do not believe it is either allusive or disparaging. I am merely pointing a difference in point of views and information publication approaches between two companies that are often antagonized.


FJ

Alfredo
2006-02-18 17:04:12
Apple should educate their users in basic security like firewall settings and safe surfing. They should hammer the message home that the Mac has a good record, but that security starts with the user.


Their periodic mailings should highlight security hints.

rob
2006-02-18 17:11:13
Security is mostly about software and architecture. Sure there are other things, but having an absolutely logical URL for security information has got to be near the bottom.


Fact is, on Windows a lot of insecure stuff is pretty much built-in - as if they designed it that way (hint: they did, but for other reasons).

rob
2006-02-18 17:17:43
I forgot to add, re: your response to Mark, that your piece above clearly talks about security in general ("Apple and Microsoft clearly have two different visions of what, exactly, security is all about. "). If vision isn't about a general security policy, what is?


The logic that Mark doesn't understand (nor do I - it's another brand of logic that you're using as far as I can see) is the link between an overall vision for security, and the logic of having a /Security URL (for a start, why capitalise Security?).


The most logical thing to the average person would surely be a one-click link on the homepage clearly marked "security" (I'm not expressing a preference for capitals or not here!).


Further, you say "It does not pretend, in itself, to be a demonstration of anything.".


Well, it appears to imply from the get-go, that having a good security-related URL is central to good security. Well, that's a logical step that I just don't share with you. Sure, it's nice, but it's just a peripheral issue. Maybe it makes sense for you and other geeks but that's not who we're talking about here, are we now?


2006-02-18 18:47:48
François, you seem to be conflating (at least) three disparate issues that Apple.com must address: security updates, web design, and marketing.


First and foremost, apple.com is a site that must communicate to customers, users, and mac administrators. Those are three nearly disjoint audiences (and that ignores shareholders, parents of young mac users, reporters, and so on).


I'm sorry that the most obvious URL for you, apple.com/security, is not the most obvious location for you to find technical information about what patches are available for Apple's software, or which vulnerabilities have been addressed by which patches.


Surely a site like Apple.com has a set of user models and use cases that help their web team understand how people use their site, and the kind of information they generally want to find. We don't know what their user models are, but I suspect that the number of people who want information on patches and updates are technical enough to find the search box and jump through three pages and find what they are looking for. The relative number of these users pales in comparison to, say, your average iPod or Mac user/buyer.


No, this is not optimal, but look at the tradeoffs. The handful of security conscious Mac users aren't a primary, secondary or tertiary concern. Selling product, supporting product sales, and answering common user questions are.


Microsoft, on the other hand, is subject to the same constraints, but has a different mix of users. It's more likely that Joe Average Windows-User will need information on security and patches, because Joe is more likely to be a sysadmin or helpdesk staff than, say, Uncle Joe who is trying to figure out which flavor of iPod he wants to buy for his nephew.

Van
2006-02-18 18:51:01
Francois,


I apologize for being unclear, but if the reasons why this "article" is useless drivel escapes you, I doubt I could explain it.

Magnus
2006-02-18 20:04:13
Sorry, but I also fail to really get the point of this. Is it that Apple and MS have different stuff on their security web pages? But is that then indicative of how they have different approaches to/views of security? Perhaps...


This does however show one thing: the Mac world is not used to communicating around security issues in a PR-conscious and easy-to-understand fashion.


I fail to understand how you come to that conclusion. Apple's site is not equal to the "Mac world" in my view. In my experience, as soon as there is anything security related concerning Mac, it's quickly brought up and discussed throughout the "Mac world" which to me is all over the web, blogosphere, etc. including this site. Perhaps it's not in a "PR-conscious" fashion, but I'm not sure what that means anyway, but it's very often in an "easy-to-understand" fashion, I think.


Apple and Microsoft clearly have two different visions of what, exactly, security is all about. And the winner is not who I expected.


It's an intro that draws a crowd, but the rest of the article doesn't deliver, IMHO. The two companies may have different views on security (and I hope they do since I think MS just doesn't get it) but what's offered in this article to back that argument up is weak, and from what is presented I don't think there is any way you can declare "a winner".

ThoperSought
2006-02-19 00:54:54
Give François a break, Please. While I won't say that this was the clearest and most erudite post ever written, c'mon! It was okay! If you don't understand what he's on about here, you certainly shouldn't be bashing HIS intelligence.


Van, you especially. Either stfu, or explain yourself.


Anonymous, to suggest that François is "conflating (at least) three disparate issues" is also unfair. Just because they don't each have a neat little bolded subheading above separately developed sections doesn't mean that he's conflating anything. To focus on the fact that he doesn't explicitly develop and introduce each topic separately, rather than on his statement that the page with the technical information appears not to have been updated in a while, is missing the point.


Yes, I believe there is a point. How about, instead of bashing him because the point wasn't instantly clear the first time you read his post, you consider this choice: discuss the Issue he addressed, or don't say anything at all.

Ron Bannon
2006-02-19 05:32:05
Francois Joseph de Kermadec has written an excellent tutorial on using ssh under Mac OS X. It would be great if he'd write a book on Mac OS X security in general, not a tome, but one similar to his ssh tutorial. He's a great technical writer, and he's done a major part in helping secure Mac OS X users running ssh.
Van
2006-02-19 09:00:51
ThoperSought:


Maybe you could discuss the "issue" Francois introduced rather than throwing a tantrum like some petulant child over the fact that other people said something you didn't like. I wasn't attacking his intelligence, I was attacking the amount of useless crap on this site as compared with what you used to see here.


As much as I'd love to waste my time in a flame war with you, I'll happily concede the last word if you'll run along.

Mark
2006-02-19 11:04:03
Francois, Please accept my apologies. I should not have added the last sentence.


You do raise a good point as that is the "public face" of Apple regarding security. However, for most end users, security should be a "given". They have no need to look at security reports, and just want their system to be secure and safe. I think this is the case.


For more advanced users, who wish to keep abreast of all the issues, then there are plenty of things to look at and subscribe to. I'm not sure the ability to directly link to www.apple.com/security has any bearing on the matter.


Certainly, I think we will need to watch things this year. It seems likely there will be more security threats, and we all want Apple to ensure timely and prompt solutions to any problems.


Again, apologies. I think one issue with the articles on MacDevCenter is that I sometimes find it difficult to distinguish "real articles" from "blog/comment-type" articles. Clearly, criticism of the latter must be tempered by their very nature. I should also not be so critical of things I am not paying for - so please accept my apologies!

FJ
2006-02-19 11:38:17
Rob,


Thanks for your comments. Here are some answers:


1. The capitalization is only used here for legibility purposes. URLs themselves indeed are not capitalized and would return a 404 page if entered with the initial cap. I hesitated before writing them so but thought making them easier to read was what mattered most in the context of the blog post.


2. As far as I can see, a company usually invests a lot in what its "higher-ups" (how "high" these people are depends on the company, of course) value. For example, you will notice the iTunes website is constantly updated and improved, even when only minor iTunes updates are published. In that, I believe there definitely is a link between the address/look/freshness of a page and the investment a company as a whole puts into a topic. Note I said "as a whole" as, again, I am not criticizing the work of the Apple security engineers.


Not providing users with an easy-to-find central page containing security resources means a company does not expect users would seek or need such information. And does that ever really hold true?

FJ
2006-02-19 11:46:40
Anonymous,


Thanks for taking the time to post. You do raise a valid point when it comes to website audiences so allow me to elaborate a bit:


  1. While I certainly do not know how users behave on Apple.com for lack of being allowed to look at their logs, I know how other companies and projects have structured their site. Many other computer manufacturers have chosen to use /security as their source for security information (some implementing redirects) and these are not those who essentially target the enterprise market.

  2. You seem to imply Apple needs not care as much about providing security information as its users are overall less "geeky" or technology-oriented. The /security page as it stands today however still targets a knowledgeable audience, which seems to imply Apple expected a certain type of people to (mostly) reach it.

  3. You will notice Apple.com does not ignore the press (Apple.com/pr) or shareholders (Apple.com/investor). In that, their site is targeted at a rather large audience, and certainly one that is larger than it may seem at first sight.

  4. Distributed denial of service attacks, spambot problems and the like have consistently proven the average home user is in the first line when it comes to security problems. Indeed, malicious users bet on the fact these people will not know how to secure their machines. How would someone enjoy his iPod if his computer is hacked and his music library deleted?


I hope this helps answer some of your questions.


FJ

FJ
2006-02-19 11:47:34
Van,


We shall agree to disagree then. Thanks for taking the time to post back!


FJ

FJ
2006-02-19 11:53:46
Magnus,


Thanks for taking the time to post!


Yes, the words "Mac world" were probably a bit large, I agree with you. You raise a very valid point by stating Mac sites talk about security issues when they come up, although, and this is where my wording appears to have confused you, this is the result of many independent initiatives in which the Apple machine has a very small role - if it has a role at all until the corresponding security update is released. In that, I believe the Mac world talks about security issues at a user level but its discourse lacks a strong "official" line, provided by the company that backs it.


The introduction is indeed strong, although I believe the differences outlined in the article make one site the "looser" and one the "winner". Of course, this is entirely my personal opinion and I understand you may disagree. When it comes to the security policies of two companies as a whole, you will notice I explain in my conclusion one should not infer too much from a simple site comparison — although I still deem websites to be representative, as you can see in my comments above.


FJ

FJ
2006-02-19 11:56:07
ThoperSought,


Thanks for your kind words! :^)


This post was indeed written as a starter for discussion and I certainly do not think the 20 or so lines above constitute the finest security analysis ever written in the technology industry.


I'm always glad to talk things through, though!


FJ

FJ
2006-02-19 11:57:47
Van,


No flame wars required here. I'm sure everyone is doing his best to discuss the topic at hand in a calm and constructive fashion, although our words can sometimes be stronger than our thoughts. Your posts are genuinely appreciated.


FJ

FJ
2006-02-19 12:07:48
Mark,


Thanks for your kind words. No apologies are required, I assure you. That entry indeed was not published as an "article" but as a blog post and, as such, is meant to be an opinion piece, not The Technical Truth. In the future, the URL (/mac/blog) and the sub-header ("in Opinion") should help you distinguish between the different flavors of content that are published here.


You do raise a very valid point when saying security should be a "given" and I wholeheartedly agree with you. It is my opinion however most home users will, at a point or another, be pushed to wonder how truly secure their system is — when something strange happens, for example, or when watching the news about a virus outbreak.


I know everybody on the team is committed to writing the best possible content — myself included — so your feedback is always welcome. There is a lighter side to the MacDevCenter — of which this post was aiming to be part — and I believe this contrast is what makes the site the truly great source it is.


FJ

Adam
2006-02-19 19:47:35
Francios,
You have said Apple doesn't have "an easy-to-find central page containing security resources" - just because www.apple.com/security goes to the mac OS X marketing page... But www.apple.com/support/security is "an easy-to-find central page containing security resources".
To my mind /support/security makes more sense for the kind of page you are requesting - so Apple have got it right.
Of course the OSX security marketing page should be www.apple.com/masosx/security - which leaves www.apple.com/security as an ambigious page.
Should it be directed to new customers or administrators? Which are there more of? Which is more important to the company. Clearly we can't tell. But clearly somebody thinks new customers are more important. I don't think it's a reflection on Apple's attitude to security.
I think this is obvious to many people reading this article, and therefore they find your statement about "the winner" in security focus to be inflammatory. Personally I did too.


Obviously also, the recent malware release is "recent", previously we all understood (Apple included) that OSX had _no_ widely released malware.


The only addition/change I have to their site is that the page www.apple.com/security should have a link to the other security page, whichever one is chosen (in this case security software updates/rss feeds).


I have in the past really admired your posts for their insight.
Thanks,

FJ
2006-02-20 02:47:10
Adam,


Thank you for your kind words, I really do appreciate them. Also, thanks for sharing your insights.


I agree with you the /support/security URL is, in itself, not that much of a stretch although someone not familiar with Apple (which may be the case of a security researcher more versed into UNIX matters) may struggle to find it. What has me most surprised is that there is no easy-to-find link from the Apple.com homepage or its support page that leads to this security resource. Instead, one has to go to support, then look at the footer or go through the equally obscure site map.


All in all, Apple would not be overly wrong to implement /security as a marketing page if the other were easier to locate but, as you suggest, I would hope that page would contain a link to the "actual" security page.


FJ

ThoperSought
2006-02-20 12:49:51
Van, what is the problem?


"C'mon, give the man a break!" is hardly "throwing a tantrum like some petulant child".


Further, despite your saying "I wasn't attacking his intelligence," I can't imagine any other interpretation for your earlier words: "if the reasons why this "article" is useless drivel escapes you, I doubt I could explain it."


As for the issue in François's original post, I don't really care about it enough to comment. If it had been ignored, instead of attacked, I'd have ignored it too.


The fact of the matter is, to any reasonably intelligent and unbiased person, you're the one who looks childish. You're just making a fool of yourself. You really might want to consider taking my invitation to stfu.


2006-02-20 12:53:24
http://www.apple.com/itpro/
Says it all. END OF.
NotAFanBoy
2006-02-20 18:16:54
Let me make a point that I have noticed since switching to a Mac. The Apple camp is divided between fanboys, who think Apple can do nothing wrong and, non-fanboys, who are obviously in the minority. Its the former class of people who are not happy with this article. They seem to be pissed that Francois criticized Apple for its lackluster attitude to make security information about Mac OSX easily accessible.


He makes a very valid point. If you look at the security vulnerabilities fixed by Apple in 2005, the numbers rival Microsoft (81 vs. 89). Apple has been criticized for not divulging information about their vulnerabilities to the public. For those who think security by obscurity is the right way to go, I would encourage you to read: http://www.crypto.com/hobbs.html
By not commenting on the exact vulnerabilities they are fixing they are harming the customers. The ideal way would be to have detailed information about each patch they release instead of just saying "Fixed vulnerability in Safari". Also, it makes sense to let people know of the problem before the patch is even released because the bad guys will find out anyway.


I am not saying Apple is as insecure as companies with financial interest like Symantec would like you to believe or that its even close to Microsoft in those terms. My point is that being too smug about Mac OSX security is going to be dangerous. The recent trojans are one example of this. As you might have noticed I didn't use the term virus or worm because that is not what it is. So don't for a second think that I am riding on the hype wave created by anti-virus companies like Sophos.

Matt
2006-04-12 22:59:33
Woah is Apple!... we are in terrible times my friends.. no, not really. None of the Macs at my campus network ever went down with the PCs all virused and useless... I'm not worried. Apple is on top of their game, and they know it. That's what all those good free Linux hacks are good at, providing Apple with free security update patches for BSD.. lol