Apple prefers security by obscurity
Companies should learn from, rather than punish, security researchers
Published 11:27, 09 November 11
This news is hard to believe. Apple has removed security expert Charlie Miller from the Apple developer programme because he found a way to inject code into an iOS app.
I'm shaking my head with incredulity. This is absurd, but apparently true. Instead of this ludicrous move, Apple should have bought him a case of his favourite beverage.
iOS security is good and getting better. Just last winter, Miller himself had muttered that he wasn't going to do any more iOS hacks because it had just gotten too hard. There are also essentially zero malware problems on an un-jailbroken iPhone (or iPad, etc).
It's the safest OS to use on the Internet today! So they should get the details of this hack, fix it and push out an update. End of story, everyone goes away happy.
When I was CSO at PGP Corporation, I engaged Charlie Miller on several security evaluations. His work is incredibly valuable and makes any product more robust and secure. It's always better to get the problems from Charlie than to find them in the wild.
Apple has made great strides forward in improving security and working with security research. This is a major step backwards. Let's hope that it was just a slip-up of some functionary. Apple needs to put Miller back in the developer programme, fix the problems he's found, and get him a person to report issues to directly so that this doesn't happen again.
A case of his favourite beverage in apology would be good, too.
Jon Callas is a renowned information security expert and CTO of Entrust. Jon previously co-founded and was CTO for PGP Corporation, as well as a stint as Security Privateer for Apple. His work in security policy supported the end of US cryptography export restrictions and help secure the modern Internet.