This has kind of been an interesting week of the weird. I spent much of it in industry analyst-only confidential sessions that looked at what was coming in the market. And there is a ton of stuff coming that I can't yet talk about.
However, when you put a lot of analysts together, you have to talk about something, and we were chatting about Apple. An increasing number of these folks use Macs, and some are less than happy with their experiences. Some developers are clearly not happy either for different reasons, so much so that many are now bypassing the company.
With a lot of you looking to deploy Apple products this year, you may want to pause and watch how Apple is dealing with security issues. Right now it isn't dealing with them very well, and the end result is that a number of my peers are quietly taking positions that "Apple security" may be an oxymoron. The reason they are being quiet about it is that Apple's normal response to problems like this is to point the Mac faithful at the author like a tactical nuke and then stand back and watch the blood fly. Few folks want to be on the receiving end of this kind of an attack. Still, it pays to be informed, particulalry when a vendor doesn't want you to be.
Black Hat and Apple Tough Love
Apple typically responds to folks who point out security problems, or any problem really, with a Mac product with a variety of tools topped by an ability to motivate its near-rabid fan base into a hostile weapon. You can see this play out on the story of iPods that were blowing up. Look at the comments, wave after wave defending Apple. Seriously, if 15 Fords blew up I'll bet there'd be a recall. Boy, think what would happen if a Prius battery went up like this -- bet it would only take one.
However, with the massive gain Apple has taken in market share, many of its users are, well, just users and not Apple slaves. As a result, these methods seem to be making less of an impact. Part of this is because Apple's typical attack, which is based on implying Microsoft is somehow behind the criticism, doesn't seem to possess the credibility it once had.
An example is the news coming out of the Black Hat security conference. Black Hat has been the bane of Microsoft for about a decade, and it was criticism like that from Black Hat that got Microsoft to finally take this security stuff seriously. Now Black Hat is focusing on Apple and some are suggesting that Apple is no more secure than Microsoft was.
In addition, the security problems that surround Apple seem to be kind of unique to the company. For instance, you can apparently use an Apple keyboard as a way to steal someone's passwords, or could use an iPhone to bring down AT&T's network (something that seems to work in the Android platform as well).
There is actually a book out on how to hack the Mac.
The Problem Isn't Relative Security -- It's Disclosure
Apple has a tendency to cover up problems, and this is the downside to it being marketing driven. It fully understands and is expert at managing opinion; in tech, there is no company better. However, every skill can be misused, and when it comes to safety or security I'm a firm believer that disclosure and open mitigation is a better path because you simply can't bet crooks are too stupid to figure out how to make use of an exploit even if it isn't widely published.
Now this is by no means a universal belief. Apple, for instance, clearly disagrees, and it does effectively market its platforms as more secure than Windows, even though, in some ways, they may actually be less secure. For instance, without building a special keyboard, you can't use a Windows keyboard as a Keylogger. This problem alone should drive a recommendation that Macs with separate keyboards not be used in public areas where those keyboards could become compromised. Since you can typically use Windows keyboards on a Mac, the fix would be to do that. But if you don't know of the problem, you can't implement the fix.
It's not that Apple doesn't patch its systems, clearly it does. It's that they believe that it is better not to disclose problems because it makes them appear like they have a competitive advantage in an area where they may not.
I do think they often go too far, though, as in this instance the result was suggesting an iPhone could be a threat to National Security. The U.S. is kind of over the top on this kind of thing and the result could be an iPhone ban if they aren't careful.
The Value of Trust
Apple has one of the most trusted brands in the technology market, but trust is easily lost -- and being constantly caught covering up problems is not the way you retain or build trust. If you've studied Steve Jobs, you'd know he would fire and ban a supplier that wasn't candid with Apple about a problem. Even if they were, he still might stop using them because he is very intolerant of problems. But he is even more intolerant of folks treating him like he is stupid.
It doesn't take much time to lose trust, and covering up problems like exploding iPods and stonewalling security problems are both good ways to do that. IBM discovered in the '80s that losing trust was expensive and Microsoft spent trust like water in the '90s and still doesn't have it back. You'd think Apple would learn from IBM and Microsoft's mistakes. Evidently not.
By the way, you can actually weaponize an iPod. Damn, I can't help but think it is kind of cool -- even though it could lead to people banning both the iPod Touch and the iPhone.
We've all likely worked for and with people who don't want to know about problems, and clearly not knowing is a "feature" of using the Mac. As Jobs just found out about his own health, sometimes it is actually safer to know than not know, and here Apple's practices would get me wondering if something they weren't telling me could present a critical risk I can't mitigate because I don't know about it.
Trust is, as a result, more important to the Mac than any other product in its class. As you watch things unfold, you should ask yourself, do you still trust Apple? Its recent behavior in a number of areas does suggest, for many, the answer may soon be no.