Do you have examples of these far worse unpatched vulnerabilities? Not saying they aren't there, but I'd like to know what they are.

Anyway, I stand by "unconscionable" either way. It implies nothing about the industry standard. If Apple's unconscionable actions here are still better than the industry standard (and I'm skeptical about that, hence the "if", but even given that) then that just means the industry standard is unconscionable.

Why is it worth saying that negative attention probably had little effect on Apple? I really could not possibly care less about this. My statements are based on impact to the users including myself, not the price of AAPL or its balance sheet.

Apparently, there ARE some things $100M in cash can't buy, like security reviewers, security teams, security coders.. hmm, actually, $100M in cash could buy all those things. Guess it's a question of priorities, and security isn't one of them.

Even if they spent every last cent of that money on security, they would still have bugs. You never get rid of all of them.

People that talk about security spending miss the inherent imbalance in security: a defender has to find every bug; an attacker only has to find one.

That doesn't mean you can't make it harder for the attacker.

Nobody is saying that Apple's wealth should mean they have no bugs. However, it does mean that they should have reasonable test coverage of critical security code.

Or even if not test coverage - static analysis.

You mean $100B in cash.

Yes - it's obvious that there are bad practices at work here - in particular no strict static analysis. I agree there's little excuse for not adding machine processes that could have helped.

But adding human processes costs time and agility, and as you point out, money cannot replace these.

British million = American billion = 10^9

MM is used to denote an American million = 10^6

Are you sure? The old 'British Billion' was 10^12, but even that is rarely used any more. I've never seen an 'M' suffix used to mean anything other than 10^6.

M is widely used as "thousand" in specialized contexts like "CPM" and "RPM" within the advertising/accounting space.

I don't think that's right. 10^6 is a million in both languages.

10^9 used to be a milliard in British English but is no longer used. It is now referred to as a billion.

10^12 used to be a billion in British English but is now referred to as a trillion.

Edit: http://www.youtube.com/watch?v=C-52AI_ojyQ explains it all quite nicely.

Here's an example: http://m.slashdot.org/story/198449

And these android vulnerabilities are essentially unpatchable by design - which I think is something that really does deserve the word unconscionable.

But I accept that the overall behavior in the industry could be described by that term.

My comment about the negative attention is that Apple makes decisions based on the impact to itself. A few days of delay in fixing the bug might result in some small number of compromises, but as long as it doesn't drag on for months, it's unlikely to be a big deal.

On the other hand, negative attention and social media sentiment could have been a big deal for Apple, had it not been for all the wolf-crying. Now it's just a muted signal.

So from Apple's position this is actually a minor affair. We are horrified in principle but they are basing their actions on their practical reality.

Sheesh. I retract my "skeptical about that" bit.

I think you're right that this won't be a big deal for Apple. It won't really hurt them much.

However, basing your actions solely on the impact to yourself and ignoring the potentially huge negative impact for your customers is exactly the sort of thing that causes me to call it "unconscionable".

I agree that if it were just about the impact to themselves this would be "unconscionable", but I think that in practice the effect on users will also be very limited unless this vulnerability has already been known and exploited in the wild, or unless they take weeks more to patch OSX. Remember it requires a MITM attack to exploit it - not just a compromised host.

There is definitely a gamble they are taking, and definitely process improvements they should make (e.g. mandatory static analysis of shipping code). I just think think this is more about poor performance than poor morals.

[noting again that if this was discovered because it's in the wild, then it's all about performance]

The iOS patch was released on Friday, so it was publicly known then at the latest. It's not particularly hard to exploit, so it seems entirely reasonable to think that people were exploiting it soon after.

How many Macs connected to Starbucks WiFi this weekend and had their e-mail and banking credentials lifted? If my hat were darker, I'd have been out there doing it for fun if nothing else.

The fact that it requires a MITM means you're fairly safe on a home connection, but there are lots of people out there on public WiFi who would be pretty vulnerable to this.

I really don't understand what the "gamble" is. What's the upside to waiting?

I think your example of a Starbucks is a good one, and I'd be curious to know. The attacker has to go and physically sit in or near the Starbucks to do it, which is a strong limitation. They also have to have to have something worthwhile to do with what they steal. So that limits it to criminals with the knowledge to exploit this MITM attack who are willing to sit outside a Starbucks for long enough to harvest a worthwhile set of credentials.

I doubt that many credentials were stolen this way.

But some were, right?

Again, what's the upside to waiting? It looks like zero to me. Minor convenience for Apple at best. Placing their own convenience over the security of their customers is bad.

> Do you have examples of these far worse unpatched vulnerabilities? Not saying they aren't there, but I'd like to know what they are.

Search for what you can do for an Android phone that isn't on the very latest version of the OS, and then look up stats of how many Android phones are not, and will never be, on the latest version of the OS. That's unconscionable. To not backport fixes to devices, and to stop shipping updates to them mere months after their release in some cases.

> unconscionable makes it sound like it's more irresponsible than the industry standard - when in fact it is less.

> Yes, I agree that's a stupid call to make, but most smartphones have far worse unpatched vulnerabilities.

That's why Apple's response here is so interesting: it's much more common for smartphones to have serious and known unpatched vulnerabilities than it is for desktop and server operating systems to have them.

It's expected that a smartphone might go unpatched for a while, but the industry standard is that a desktop or server operating system should receive a patch for an extremely severe security vulnerability almost immediately.

Why Apple has chosen to ignore and invert that expectation is unclear. Was there an active, seriously damaging attack against iOS that they thought needed to be stopped right away, despite the cost to OS X users? Did they look at the install base and decide patching iOS first would have a larger impact? Is their development process for OS X not up to the task? Do they just care a lot more about their consumer electronics than their computers?

Then there's the question of why they published the details of the iOS patch before publishing a patch for OS X. Perhaps they rushed to patch iOS when they discovered the vulnerability without realizing that OS X is affected as well? The situation raises a lot of questions--while I'm not sure that what has happened is unconscionable yet (rather than merely extremely incompetent but well-intentioned), it's still an open question, and it's certainly possible.