Re: Personal Web Sharing remote stop

[Terje Bless <link () tss no>]

On 16.05.01 at 14:41, Peter Bierman <bierman () apple com> wrote:

> At 12:30 PM +0200 5/15/01, Terje Bless wrote:
> > Since Apple *still* aren't reading Bugtraq [...]
>
> I might not read every message on Bugtraq (who can?) but I skim the
> subjects looking for Mac OS X topics. And I doubt I'm the only Mac OS X
> engineer that does this.

Great! That's a huge step up from what the situation appeared to be. But
it's still not good that Apple to all appearances has no Point of Contact
for security issues, no Advisory channel, doesn't send advisory-ish things
to Bugtraq (especially for things that were reported here in the first
place), doesn't respond (AFAICT) to security issues reported as "bugs"
using normal channels, doesn't have a "Security Issue" option in the
BugReporter, doesn't provide their own security-related mailinglist, and
releases "stealth" security fixes.

All of which have been reported as bugs in BugReporter (after the worst
b0rkenness in /that/ horror was fixed this winter).


> You should still send bug reports directly to Apple.

I have, I do, and I will. Repeatedly! :-)


> > BTW, if anyone has contacts at Apple _please_ bug them about starting to
> > take security seriously!
>
> We do. We might not do exactly what _you_ want though.

Fair enough.

Still, I insist on retaining my right to disagree that your security
strategy is a good or even remotely complete one. If I ever found such a
beast I might change my mind, but digging around Apple for security related
info is an excercise in futility.

I admin all kinds of platforms, and right now, Apple is the one sore thumb
that sticks out as having no visible security strategy at all (don't the
sales drones realize the potential for PR disaster inherent in that
situation?). All other major vendors have /some/ kind of security channel
and at a minimum a token appearance on Bugtraq or similar. Apple gives the
appearance of having it's head in the sand...

(
  I bugged Wilfredo about this before he left and he said he'd pass it on;
  did anyone pick up that ball? Public info hasn't changed, but maybe
  something is happening internally?
)


> Apple's World Wide Developer Conference is next week in San Jose. There
> might be some Mac OS X security news there...

Wish I could be there, but alas... :-(

I don't suppose key events will be streamed?


> -pmb

Good to see you're still alive. Last time I saw a life-sign from you you
were futzing with the Rhapsody intaller or somesuch before the first
release. :-)