Apple engineer Ivan Krstić spoke on far more than Apple’s new bug bounty program at the Black Hat security conference, and delved into the inner workings of iOS hardware and software security features both in iOS 9 and the forthcoming iOS 10.
Security is such an important issue these days. It’s a great move for Apple to speak publicly about what they are doing to make its products secure.
Rick Tetzeli has published a wide-ranging interview with Tim Cook, Craig Federighi and Eddy Cue.
At the heart of the article is the concern that Apple is stretching too thin, moving far beyond it’s old scope of projects and products:
Steve Jobs had been the company’s editor, proud of saying no to features, products, business ideas, and new hires far more often than he said yes. Apple’s seemingly diffuse product line reinforces the argument that Cook is not as rigorous. (The fear has a worrisome precedent: During the early and mid-1990s, Apple’s product line was a mess of marketing-inspired offerings, and both its reputation as a unique manufacturer and its business suffered.)
I don’t know if Apple’s doing too many things or not, but I think it’s worth keeping in mind that the company isn’t led by the bozos that ran it in the 1990s. Tim and company know what they’re doing.
Wow. I’ve been doing a podcast for more than 22 years. I didn’t realize I had started so soon after the web went online.
Russell Brandon, reporting for The Verge:
The new program will begin as invite-only, including only a few
dozen researchers. Still, Apple says the program will become more
open as it grows, and if a non-member approaches Apple with a
significant bug, they’ll be invited into the program to work it
through. The invite system is unusual for a bounty program, but
Apple explained it as necessary to weed out spurious submissions
and make sure trusted researchers had adequate support from the
company.For now, the new program is also limited to five distinct
categories of bugs. The most valuable category — worth up to
$200,000 — is vulnerabilities that compromise the secure boot
firmware components, cutting at the heart of Apple’s hardware
protections. Notably, those vulnerabilities are also particularly
useful for jailbreaks. Smaller rewards are available for the
extraction of data from the Secure Enclave, extraction of
arbitrary code, escaping a sandboxed process, and obtaining
unauthorized access to iCloud account data.
The bounty program was announced by Apple head of security engineering, Ivan Krstic, during his presentation today at Black Hat in Las Vegas. Both the bounty program and the mere fact that Krstic was speaking at Black Hat are signs of Apple’s thawing relationship with the security industry.
