Getting at Apple's core problems

Apple is now as much about consumer electronics as it is computers

We need more details about the security fixes Apple is releasing, says regular commentator Bill Thompson.

The computer manufacturer formerly known as "Apple Computer" changed its name to Apple Inc eighteen months ago, reflecting the growing importance to its profitability of consumer gadgets like iPods, shiny toys like iPhones and of course music sales from iTunes.

It was a sensible move, since the real money is no longer in powerful multi-processor servers for high-end graphics, video and music production but in laptops for the Vista-resistant masses, phones to keep workers connected to corporate servers and music devices for the kids.

Being a cool brand really helps in this, of course.

Apple's reputation may be built on high design, functionality and usability, but a big part of its current success comes not from the quality of its products but careful control of all aspects of the message.

New product launches get a lot of press attention partly because they are genuinely newsworthy.

There are very few leaks and those that do occur are stamped on with such legal force that anyone tempted to talk to a journalist will be deterred, while journalists who write things that Apple does not like might find that they do not get as good access in the future.

Building system security is a collaborative activity, and Apple is not currently playing as a member of the team. Bill Thompson

Most of the time the lack of advance information doesn't matter, and it provides an entertaining diversion for technology commentators as they try to guess whether the new MacBook will have rounded corners like the Air or come with a non-Intel chipset.

Whether or not the next iPod nano will revert to the stick format from its current fat instantiation is really about as important as the latest celebrity diet or David Beckham's career plans, but it offers some entertainment in the technology pages.

The design and launch of new products is Apple's business, and while I think the paranoid fear of anything that might spoil the next Steve Jobs keynote is a sign of weakness rather than strength it is clearly up to Apple, and the law of commercial confidence is on its side.

Think security

But different calculations apply when it comes to dealing with people who already use its products, where Apple's unwillingness to divulge details of security flaws or even the specifics of how flaws are fixed leaves customers confused, ignorant and possibly exposed to attacks that could be avoided.

Patches are simply distributed through Software Update, with little detail about the problems they address or the changes they make, and discussion of security is severely restricted.

We have seen this recently, as two Apple-related talks at the 2008 Black Hat hacker convention were pulled at short notice. A discussion of flaws in the Mac OS disk encryption system FileVault by Charles Edge was withdrawn because he has signed confidentiality agreements with Apple.

Product launches are as important as Beckham's career moves, says Bill

And a promised panel discussion by members of the security engineering team was dropped because it had not been cleared with marketing, who clearly have more clout here than the people who are actually responsible for making sure that Apple systems are secure.

This approach was never popular, but its dangers have been highlighted by the fuss around the public release of the details of the flaw in the domain name system identified last year by researcher Dan Kaminsky.

While many vendors patched their DNS software weeks ago and a growing number of ISPs have updated their systems to the latest version, Apple did not offer an update until last week.

What's more, the update only fully fixes the problem with Mac OS X Server, and leaves the client software running on millions of laptop and desktop computers vulnerable.

We don't know if this is an error or whether Apple believe there is no need to fix the client for some reason, as the company does not discuss this sort of thing.

In this case it may be that few desktop machines actually store or serve domains and so this is a small problem, but Apple has not chosen to share its thinking.

It is rather ironic that one of the attacks being developed to take advantage of the DNS flaw subverts automatic updating of software, so we Mac users might be tricked into downloading malicious software because we assume it's just another unexpected update pushed at us by Apple.

In the last two years Microsoft has made strenuous efforts to be more open about security issues, a process that has culminated in a blog where senior engineers discuss the latest patches and the problems they are intended to solve.

It's not quite full disclosure, and there's still not even a whisper of a hint that it would accept any liability for the consequences of its programming errors, but it does mean that those working with Microsoft software can consider the nature of the patches they are being asked to apply.

With Apple it remains "take it or leave it". And much as I trust Apple and its engineers the nature of the threats facing all computer users on today's internet means that this is no longer sufficient.

Building system security is a collaborative activity, and Apple is not currently playing as a member of the team.

Bill Thompson is an independent journalist and regular commentator on the BBC World Service programme Digital Planet.