Mac & i: Summing it all up, do you think Apple has what it takes to make computing secure for their users? Will they only need to update their technologies, or is it also a question of their management's attitude towards security?
CM: Apple is certainly capable of producing a secure product but hasn't put in the effort yet. They are a product company. New, exciting products sell and make them money, security doesn't. If you look at the original iPhone, it sold like crazy, but security wise was just awful. There is a (slowly changing) perception that Apple products are secure. I guess Apple figures why spend money on actual security when they're already considered secure. It will take a security related crisis, like Microsoft experienced nearly ten years ago, to get Apple to change. Security needs to affect their bottom line.
They've also painted themselves in a corner a bit because they've been advertising security features like ASLR since Leopard came out four years ago. How do they advertise additional security for Lion? "Lion has ASLR that actually works", or maybe, "Lion has caught up to Windows Vista in security"?
DDZ: If you compare the security features of iOS versus Mac OS X, you can see where Apple has found it in their business interest to implement various security features. And on iOS, the majority of the security features are intended to protect Apple's business model (iTunes Store) rather than the user's data. Of course, this isn't just Apple, it's every commercial software vendor. Security does not make them money, selling products does, so they will only provide the minimum level of security necessary to keep customers buying their products. There isn't necessarily anything wrong with that.
If you look at web browsers, Google continues to invest the most effort into the security of their browser, Chrome. It's Google's business model to keep you using the web, which requires that you trust the web with your time and data. As they have the most to lose by consumers losing confidence in the web, they will spend the most money to make it safe. Most of Google's efforts are spent on the Windows and Linux versions of Chrome, and the Mac OS X version of the browser benefits from many of those efforts for free. As Apple targets home users, as long as their users are safe from mass malware targeting consumers for identity theft and bank fraud, there isn't much more that Apple needs to do.
Mac & i: The bottom line, so to speak, is the bottom line. By the way, when you go looking for that sweet vulnerability in OS X, do you have any special tools at your disposal, or are your "weapons" available to the bad guys as well?
CM: Part of the motivation for writing the Mac Hacker's Handbook was to get our expertise out to everybody, especially the good guys. The bad guys tend to know this stuff already. Both of us regularly give talks about how we find and exploit bugs, so unless Dino has some secret sauce I don't know about, all our knowledge is in the public space.
DDZ: There really isn't any magic or secret sauce needed to find Mac security vulnerabilities. "The Mac Hacker's Handbook" showed several fruitful ways: fuzzing, looking at the change logs of upstream 3rd-party software, and reverse engineering. Personally, I prefer spending quality time in IDA Pro to writing fuzzers. And I don't even have any magic IDA scripts that I use, just a methodical manual process of reading through the binary, renaming variables and functions, and building my understanding of how it works. In addition to the book that I wrote with Charlie, I also give Mac hacking training at the BlackHat conferences with Vincenzo Iozzo. Anyone interested in learning how to find vulnerabilities in Mac OS X is welcome to take our class.
Mac & i: ...looks like cutting-edge hacking is still manual work, like in the good old days. I still remember changing my Apple //e's OS to accept commands in lowercase... Well, ok, let's finish this interview with a serious touch. Why don't you participate in the Pwn2Own challenge as a team?
DDZ: I think Charlie has shown plenty well that he doesn't need any help to win PWN2OWN ;). I like to be the first to pwn a particular target at Pwn2Own. I was the first to own a Mac at Pwn2Own 2007, so I didn't feel like I needed to do that again. I would have liked to have been the first to pwn an iPhone there, but Ralf-Philipp Weinmann and Vincenzo Iozzo already beat me to that one. Maybe I'll show up one year with a surprise up my sleeve, but don't hold your breath.
CM: Now why would I want to give half my money to Dino?
Mac & i: The last question goes to Charlie - probably the question you get asked most often: Will you do it again at Pwn2Own 2011, and if so, do you already have a bug in your bag to exploit? Maybe Safari 5?
CM: I'm not sure. It is really a lot of effort and pressure for not too great a reward. I think I've proven the two things I set out to prove, namely, that Apple products are not perfectly secure and that I can write exploits. The problem is you can have an exploit and it can get patched a week before the competition or someone's name can get drawn out of a hat before yours and you get nothing. I guess it will depend on the rules this year. It is a great competition and a lot of fun. As for whether I have an exploit in my pocket, a gentleman doesn't discuss such things, but I'm not a gentleman, so yes.