[concinds]

I wonder how well Apple has deployed these tools internally for security research.

Since mid-April Chrome showed 302 vulnerabilities patched, 225 of them found by Google. Same period last year was 19 vulnerabilities. They've also become more transparent recently, disclosing vulnerabilities found internally, not just externally (which Apple still doesn't appear to do). From the outside, it's hard to tell if Apple has deployed this tooling as much as Google.

[guessmyname]

I am part of Apple's SEAR (Security Engineering and Architecture) organization and can’t attest that we have been using Anthropic models, including, but not limited to, Mythos, as part of our participation in Project Glassing and previous private partnerships with different frontier AI labs for years. We simply don’t talk about it because there’s no benefit to talk about it, and also NDA’s, but mostly because there’s no benefit to talk about it other than to satiate people’s curiosity about what we do or don’t do internally.

[riffraff]

You wrote "can't attest" but the rest of what you wrote seems like you're actually attesting it.

Typo, or I am just misreading?

[isomorphic]

The heavily ironic implication is that they're under NDA, so they can't attest to it, while more or less attesting it. Senator, I cannot confirm or deny that we definitely do this.

This could also be an unofficial-official way for Apple to "leak" that yes, they do this--which is on brand for how Apple handles "rumors" etc.

[riffraff]

Ah of course, thanks.

By the rest of the comment it looked like it was actually fine to share so this interpretation flew over my head.

[bitwize]

When the CIA representative says "I can neither confirm nor deny" it generally means the atrocities of which the agency has been accused did, in fact, take place.

[MattPalmer1086]

When I worked in the civil service we were trained to use that phrase to any query, no matter how innocuous (unless we had permission to give more info).

You may think that not issuing a categorical denial is suspicious, but generally speaking you cannot infer any information from that response. If it was only used when really bad things might have happened, maybe you could infer more.

[qsxfthnkp2322]

Imagine working there with a boss who talks like this.

[lapcat]

> there’s no benefit to talk about it

That there's no benefit to talking with the public is something that only Apple could believe.

Openness and honesty create trust. Secrecy creates distrust.

[JCattheATM]

I'd guess they haven't even begun to really utilize them. They've never been a terribly security conscious company, despite the marketing.

[krisbolton]

I think Apple became much better at security in recent years. One example which I think is indicative of their approach to security - they bothered to add a hardware microphone disconnect when a macbook is closed. Source: https://support.apple.com/en-gb/guide/security/secbbd20b00b/...

[xyzzy123]

What's your thinking on this? From my perspective Apple security go pretty hard. They have a strong track record of being able to ship architectural mitigations like PACs / MIE / Exclaves first. I guess because Apple control the stack from silicon to userspace.

[JCattheATM]

My thinking was in a historical context, and for their desktop OS's. I know they've been pretty on top of things with iPhones, and MacOS has become a lot better, but for the longest time MacOS was pretty lacking, coasting very much on promoting how much PCs have viruses and macs didn't, which was a marketshare thing more than a security thing. I don't think they got ASLR until later than pretty much everyone else, for example.

They've improved a lot, especially their phones, but I'd still never consider them a company that has a really strong focus on security.

[KennyBlanken]

They were not "coasting" on anything. Everything about OS X has always been designed to protect users from the stuff Apple hasn't caught yet, because they know they can't always catch it first - and Apple has led the pack in nearly every major OS security feature of the last 25 years.

That includes "don't give the user root, and ask the user for their password before doing dangerous things" - four years before Linux distros started moving to a similar model.

[jonhohle]

Didn’t Microsoft pioneer the privilege escalation prompts in Vista in 2007? It was a joke at the time how little things would hijack the entire screen to allow seemingly mundane things. I didn’t ever use Vista personally or professionally, but macOS has become pretty bad with basically the same model.

[dwaite]

IMHO, both are a mode of progressively penalizing developers as a mode of API obsoletion. It doesn't feel like the opportunity to fix a degradation of user experience really motivated app developers in either case.

The difference is Apple is much more likely to progressively make these legacy feature compatibility more difficult for users to configure over time, and to remove them eventually.

[KennyBlanken]

MacOS X prompted users for their passwords in 2001.

Microsoft's implementation was (twenty years later still is) a joke because it prompted users to hit enter or click a button.

[kilpikaarna]

It was a joke mainly because of badly designed Windows apps being used to running as root in XP and earlier would ask for permissions _all_the_time_.

[JCattheATM]

> They were not "coasting" on anything.

Yeah, they were. Virus writers were not targeting them as a platform because why develop for 10% marketshare when you can target 90% for free. It just wasn't worth it to target as a platform. So there was some level of protection due to lack of interest in distributed attacks, but the OS had very little protection against targeted attacks.

> Apple has led the pack in nearly every major OS security feature of the last 25 years.

What an absurd claim. Apple trails behind, it never leads in this space. Windows 7 had numerous protections that had become standards that Apple still lacked when Windows 10 came out.

[concinds]

> What an absurd claim. Apple trails behind

Recently there was an Anki vulnerability that gave any website access to any local files. On Windows or Linux this would be deadly. On macOS, Anki can't access my desktop or documents or Chrome storage or password manager storage. I think Apple's been smart about which security features it prioritizes.

[curt15]

> That includes "don't give the user root, and ask the user for their password before doing dangerous things" - four years before Linux distros started moving to a similar model.

Linux distros have always required sudo for "dangerous" things. What distros made users root by default?

[dwaite]

Windows and macOS both got ASLR in 2007.

For another example: macOS integrated antivirus in 2009, while Windows did so in 2012.

[JCattheATM]

Apple's ASLR was incomplete and basically trash for a long time, it didn't get proper ASLR until much later.

[xyzzy123]

Agree that pre Apple Silicon, macOS didn't get much focus. Fair point historically.

[KennyBlanken]

That's a really strange claim given AS was a refinement of a technology other manufacturers have yet to surpass in the ten years since the T1 chip came out.

To this day nobody else ties their SMC, biometric auth, and HSM together as tightly and well as the T1 did. AS was further advancement of that.

Furthermore, Apple protects users against the legal changes that have allowed law enforcement to physically force someone to provide biometric credentials. By default MS just provides biometric auth to make it easier to log in to your system.

[xyzzy123]

iOS always had a strong focus on security but if you take the time period say 2005 - 2015 it did not seem like there was much investment in macOS security at Apple. I am talking about stuff like exploit mitigations and relatively low hanging LPEs. Features like (full) ASLR / SIP / kext controls were added well after competitors.

[pjmlp]

I am PC, I am Mac campaign is from 2006, quite long time ago.

[JCattheATM]

Sure, I think I gave it that context by using the term historical.

[AnthonyMouse]

> I guess because Apple control the stack from silicon to userspace.

People always say this but there is no real relationship there. When hardware vendors add security technologies to the hardware, the major third party operating systems add support to use it pretty much immediately, and in many cases before the hardware even ships because the hardware vendor publishes the documentation ahead of time.

Try to name something where Apple was the first to support something (by a non-trivial amount of time) not because they were the first to add hardware support but because they released the combination of hardware and software in the time between when e.g. Intel or Qualcomm added hardware support and when Linux or Windows added software support to use it.