On 16.05.01 at 14:41, Peter Bierman <biermanat_private> wrote: >At 12:30 PM +0200 5/15/01, Terje Bless wrote: >>Since Apple *still* aren't reading Bugtraq [...] > >I might not read every message on Bugtraq (who can?) but I skim the >subjects looking for Mac OS X topics. And I doubt I'm the only Mac OS X >engineer that does this. Great! That's a huge step up from what the situation appeared to be. But it's still not good that Apple to all appearances has no Point of Contact for security issues, no Advisory channel, doesn't send advisory-ish things to Bugtraq (especially for things that were reported here in the first place), doesn't respond (AFAICT) to security issues reported as "bugs" using normal channels, doesn't have a "Security Issue" option in the BugReporter, doesn't provide their own security-related mailinglist, and releases "stealth" security fixes. All of which have been reported as bugs in BugReporter (after the worst b0rkenness in /that/ horror was fixed this winter). >You should still send bug reports directly to Apple. I have, I do, and I will. Repeatedly! :-) >>BTW, if anyone has contacts at Apple _please_ bug them about starting to >>take security seriously! > >We do. We might not do exactly what _you_ want though. Fair enough. Still, I insist on retaining my right to disagree that your security strategy is a good or even remotely complete one. If I ever found such a beast I might change my mind, but digging around Apple for security related info is an excercise in futility. I admin all kinds of platforms, and right now, Apple is the one sore thumb that sticks out as having no visible security strategy at all (don't the sales drones realize the potential for PR disaster inherent in that situation?). All other major vendors have /some/ kind of security channel and at a minimum a token appearance on Bugtraq or similar. Apple gives the appearance of having it's head in the sand... ( I bugged Wilfredo about this before he left and he said he'd pass it on; did anyone pick up that ball? Public info hasn't changed, but maybe something is happening internally? ) >Apple's World Wide Developer Conference is next week in San Jose. There >might be some Mac OS X security news there... Wish I could be there, but alas... :-( I don't suppose key events will be streamed? >-pmb Good to see you're still alive. Last time I saw a life-sign from you you were futzing with the Rhapsody intaller or somesuch before the first release. :-)
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 23:44:24 PDT