[TheKnack]

Apple invites this kind of reaction by not being transparent and not cooperating with the larger security community, for reasons that are difficult to understand.

This week's episode of the the podcast run by the Intego Mac Antivirus company talked about a new malware affecting Macos that was severe enough that Apple released Xprotect signatures for it, but didn't provide details to the rest of the security community, so anti-virus vendors had to reverse engineer the Xprotect signatures to figure out what they were for. Apple usually only updates Xprotect for the highest severity malware that's circulating widely.

https://podcast.intego.com/233

Most of the tech industry participates in information sharing through groups like the Cyber Tech Accord, the Cyber Threat Alliance, and several others. Apple is conspicuously absent from these groups.

https://cybertechaccord.org/signatories/

https://www.cyberthreatalliance.org/

What reason does Apple have to withhold information about vulnerabilities from the rest of the industry? It just puts their customers at risk. They have a trillion dollars. There's no reason they couldn't dedicate entire teams to disseminating information in a responsible way, just like every other tech company that you've heard of.

In the case of these Big Sur / Catalina patches, what benefit is it for them to not share their plans if they are in fact planning to release patches once the "regressions" are accounted for?

[otterley]

> Apple invites this kind of reaction by not being transparent and not cooperating with the larger security community

Eh, I disagree. While it's fair to wonder what's taking them so long, attributing malice or incompetence is unreasonable without more evidence than mere delay.

> What reason does Apple have to withhold information about vulnerabilities from the rest of the industry? It just puts their customers at risk.

I think the jury is out on the conclusion. While Apple is unquestionably peculiar with respect to their security community engagement, I think most would agree that they also have an outstanding overall security track record when you take into account the immense number of devices out there, all of which are connected to the Internet. It's difficult to identify a company that does better (again, relative to the overall risk exposure) than Apple in this aspect.

> They have a trillion dollars. There's no reason they couldn't [insert anything here]

Money can't buy you everything. Even Apple's war chest can't buy them the exact talent they need at the exact time. Talent is scarce and often happy and well-compensated at other engagements. Same goes for any of the FAANGs, one of whom I currently work for.

[voakbasda]

A pattern of non-communication about high risk security issues to developers that could help mitigate their effects or to customers that will be affected by that lack of mitigation seems like intentionally malicious behavior to me.

Lack of transparency is inexcusable for a business with such an overwhelmingly prolific ecosystem that has such a broad impact on derivative technologies and the businesses that use it.

[techdragon]

Apple are culturally allergic to transparency. It’s going to be either a seismic corporate culture change if it happens quickly or it will take on the order of a decade or more for them to become comfortable with being open whenever the opportunity is appropriate. Apple is a “deny by default” sort of company at its heart.

[otterley]

Being malicious means you actually intend for people to suffer harm. Do you really think that's what Apple wants? What evidence do you have of that?

[voakbasda]

You think that they do not know that these are the consequences? When vulnerabilities are being exploited in the wild, they know that harm is being done, and then they made a deliberate choice to withhold information that could help prevent that harm. How is that decision not malicious?

[otterley]

I think you're using the word "malicious" when maybe what you mean is "irresponsible."

Please refer to the very top of the thread where I try to provide a reasonable and much more likely explanation behind what's going on.

[aaaaaaaaata]

Classic debate about whether being stupid or incompetent is the same as having ill intent.

We're still the ones being hit by a bus.

[sulam]

Not to take anything away from the other things you’re saying, but there’s a large difference between a company’s valuation and how much cash plus equivalents they have. Apple has roughly $20B, most of their valuation is from other things. :)