One of the more hotly-discussed topics among attendees of this year’s Black Hat conference in Las Vegas was Apple’s last minute decision to cancel its scheduled presentations, and the somewhat disengaged stance it continues to maintain regarding the vulnerability research community in general.
Most observers have always perceived Apple as the model of intuitive user-friendliness and response to customer feedback, and often cast rival Microsoft as an impregnable corporate fortress that does as it chooses and forces users to deal with the headaches. But the opposite appeared to be on display at the annual hacking summit this week.
If news reports are correct, and Apple pulled its researchers’ demonstrations based on issues of marketing or image control, and a seeming refusal to acknowledge that it too must deal with the pervasive security issues that have plagued Microsoft technologies over the years, you have to wonder what the people who made that decision were thinking.
You have to think that the Apple engineers who were planning to be at the show and participate must have been disappointed with the company’s decision as well.
If anything, the move only highlighted the genuine validity of Microsoft’s ongoing efforts to abandon its own historically draconian stance on security in favor of a more open-door policy through which it is addressing vulnerabilities and attacks head on, and actively courting the help of security researchers to do so — instead of seemingly pretending that they don’t exist by refusing to involve itself in the research community.
Most people at the show seemed to think that Apple’s less proactive stance on security research and its decision to stay away from Black Hat will only drive larger numbers of white and black hat hackers to assail the company’s products to find the weak points that surely exist in them.
And while Apple may never have to deal with the same level of scrutiny that Microsoft receives when it comes to having its technologies scoured for potential flaws and exploited by hackers, it most certainly is already experiencing larger numbers of attacks as it introduces cash cow products like its iPhones, and iTunes.
Perhaps Apple is merely planning to tackle security more on its own terms, and court the help of the vulnerability research community on its own turf, as Microsoft has with its invite-only Blue Hat meetings. Or maybe the business folks over in Cupertino simply didn’t think it was wise to call attention to some of the issues that were to have been discussed by its security experts out of some legitimate concerns regarding its operations or customers.
But there’s no question that most of the people attending Black Hat were surprised and disappointed to see this role reversal play out, as Apple has long won its reputation by listening to its users and adapting products to both suit their needs and protect their interests.
Microsoft, Cisco, Google and other industry heavyweights all took their lumps at the conference, with researchers highlighting existing problems with their systems and the companies at the very least admitting they need to keep working to improve their security, if not introducing new methods to do so.
Meanwhile, Apple’s image was pilloried on the show floor because in dropping its talks the company seemed as if it refuses to participate in the larger security ecosystem, and it turned off a lot of smart people, many of whom are Apple users, who honestly want to help it build better products.
And that just seems lame, if not unwise.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.