Re: [Fed-Talk] Question on Mac approval
Re: [Fed-Talk] Question on Mac approval
- Subject: Re: [Fed-Talk] Question on Mac approval
- From: Joel Peterson <email@hidden>
- Date: Sat, 31 Aug 2013 01:20:51 +0000
- Thread-topic: [Fed-Talk] Question on Mac approval
I've never stated that Apple's official position shouldn't be more transparent. It certainly should and the fact that Enterprise VP hasn't made this happen yet is very unfortunate; Apple is doing more and more to actively not support us when they could throw few resources to maintain Federal/Mid-Large Enterprise tie-ins across their ecosystem. Shawn is certainly doing his part by keeping Smart Card Services alive on his own, but why why why is a company with over $150 Billion cash on hand not willing to put a team together to work on things like supporting Smart Cards, AD/LDAP, EOL agreements, etc?
We need something better than one-on-one email threads to VPs and bug reports. How do we actually make the above a reality?
Joel Peterson
email@hidden
________________________________________
From: Dave Schroeder <email@hidden>
Sent: Friday, August 30, 2013 5:57 PM
To: JEFFREY COMPTON
Cc: Joel Peterson; Fed Talk (email@hidden)
Subject: Re: [Fed-Talk] Question on Mac approval
If history is any guide, you will NEVER get an answer from Apple on EOL of operating systems.
As you said, what history tells us you can count on is that 10.x and 10.x-1, where 10.x is the current release, generally get full security updates. 10.x-2 will rarely get updates under various circumstances.
We have taken this issue to the EVP level at Apple a couple of times in the past because various parts of our organization have sometimes needed a formal EOL statement on OSes to "help" them move on; even in cases where it would be clearly beneficial to Apple, we have never been able to get Apple to officially say an OS is EOL. The closest we have gotten is various SEs/CEs saying, essentially, we all know what Apple has done to date with OS X and that's the best we can say. This is a double-edged sword because it means some of our AppleCare agreements will result in Apple trying to do ridiculous things like still support 10.4...which is great in those oddball emergencies for some old piece of equipment someone has dug up, but on balance is not worth the tradeoff.
- Dave
On Aug 30, 2013, at 5:01 PM, JEFFREY COMPTON <email@hidden> wrote:
> Careful Joel,
>
> Look carefully - not ALL vulnerabilities in 10.6 are being patched.
>
> Best I can tell - Apple has focused 10.6 patches on server-centric components
>
> Historically - Apple has only provided patches for current OS minus 1. But I can't for the life of me get an honest answer from my reps, or anyone from Apple about the CURRENT policy.
>
>
> Sent from my iPhone
>
> On Aug 30, 2013, at 1:45 PM, Joel Peterson <email@hidden> wrote:
>
>> 10.6 is still receiving security updates as recently as last month:
>> http://support.apple.com/kb/HT1222
>>
>> Joel Peterson
>> email@hidden
>>
>>
>> On 8/30/13 10:22 AM, "Mike Bainter" <email@hidden> wrote:
>>
>>> Could you please provide a link or source regarding your statement that
>>> 10.6 is EOL?
>>>
>>> Thanks!
>>>
>>> Mike
>>>
>>> On Aug 29, 2013, at 4:36 PM, Joel Esler wrote:
>>>
>>>> 10.6 is eol. No patches. So is 10.5 obviously.
>>>>
>>>> --
>>>> Joel Esler
>>>>
>>>>> On Aug 29, 2013, at 7:21 PM, "Beatty, Daniel D CIV NAVAIR, 474300D"
>>>>> <email@hidden> wrote:
>>>>>
>>>>> Hi Peter,
>>>>> First, I should say take it easy. I am not against you. That said,
>>>>> you kind of proved my point. Apple has buy in with NIST, and from the
>>>>> point of view of having a good product. It is just as much a matter
>>>>> of our relevance as a customer as it is their relevance as a provider.
>>>>>
>>>>>
>>>>> The point I made about OSI is very relevant. The USG also mandated
>>>>> that OSI be used throughout its networks. In other words, OSI was
>>>>> supposed to be the network. Just when did OSI work? IBM had a few
>>>>> prototypes that did not live up to its own standards. If we played
>>>>> by that rule, the internet would never have been. However, the
>>>>> President mandated use of the internet in 1994. What do you think the
>>>>> people were doing in between the two mandates? A lot of people were
>>>>> using the internet, even in the USG, before the President's mandate.
>>>>> Were they in violation of mandates? Or did they choose to comply with
>>>>> their mission, which also a mandate? There is always someone who has
>>>>> the ability to get our customers what they need to do their job, even
>>>>> if it removes us from relevance. It happened in the case OSI.
>>>>>
>>>>> In any case, you are right in the fact we should encourage Apple on
>>>>> higher standards. We should check both with Apple and their third
>>>>> party supporters. There is always some incentive to encourage mutual
>>>>> goals.
>>>>>
>>>>> V/R,
>>>>>
>>>>> Daniel Beatty, Ph.D.
>>>>> Computer Scientist
>>>>> Code 474300D
>>>>> 1 Administration Circle. M/S 1109
>>>>> China Lake, CA 93555
>>>>> email@hidden
>>>>> (760)939-7097
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Peter Thoenen - NOAA Federal [mailto:email@hidden]
>>>>> Sent: Thursday, August 29, 2013 2:57 PM
>>>>> To: Beatty, Daniel D CIV NAVAIR, 474300D; Fed Talk
>>>>> Subject: RE: [Fed-Talk] Question on Mac approval
>>>>>
>>>>> True but irrelevant IMHO. Regardless of the private sector we have a
>>>>> statutory requirement within the Federal IT space to follow NIST
>>>>> SP800-70 via 800-53 CM-2 via FIPS200.
>>>>>
>>>>> If a commercial vendor can't meet hard requirements, then we simply
>>>>> shouldn't be using that vendor. We seem to understand that in all
>>>>> procurements EXCEPT It procurements, i.e. we don't use construction
>>>>> contractors that can't meet code (and history of such) nor do we
>>>>> purchase
>>>>> various other widgets that can't meet our requirements. In IT
>>>>> (because we
>>>>> hate to imagine ourselves as a boring commodity/utility instead of a
>>>>> sexy sales/rockstar/engineer/creative class) we have a distinct
>>>>> inability to simply follow the rules as written.
>>>>>
>>>>> If the requirement is 10.6, then you use 10.6. If you can't use 10.6,
>>>>> then buy something else.
>>>>>
>>>>> And once again I'm saying that from a high horse, I live in the same
>>>>> reality as the rest of you were in practice our supervisors and senior
>>>>> organizational managers say "Don't care, want to sexy widget" :)
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fed-talk-bounces+peter.thoenen=email@hidden
>>>>>> [mailto:fed-talk-
>>>>>> bounces+peter.thoenen=email@hidden] On Behalf Of Beatty,
>>>>>> Daniel D CIV NAVAIR, 474300D
>>>>>> Sent: Thursday, August 29, 2013 10:08
>>>>>> To: Fed Talk (email@hidden)
>>>>>> Subject: Re: [Fed-Talk] Question on Mac approval
>>>>>>
>>>>>> Hi Paul,
>>>>>> That is kind of the point. When the Federal government is not the
>>>>>> only customer, those other customers may have a greater influence.
>>>>>> Hence, the notion of standards is kind of a requirement.
>>>>>> However, for such a thing to have value there has to be buy in by all
>>>>>> parties, including the manufactures. If a manufacture can say, my
>>>>>> customers don't need it, then it is hard to influence an outcome that
>>>>>> has the feature desired.
>>>>>>
>>>>>> On the flip side, the OSI veterans can fill an ear about how they had
>>>>>> the
>>>>>> "right people" on their committees. OSI talked a good
>>>>>> scheme, but TCP-IP walked the walk much more effectively. The irony
>>>>>> was that TCP-IP was built into every BSD variant, and thus the
>>>>>> internet was borne. OSI wanted the credit, but in the end their
>>>>>> vendors buy in looked like "sunk cash."
>>>>>>
>>>>>> What will happen with NIST/DISA standards for security? They have
>>>>>> the
>>>>>> buy in, just like OSI. However, Apple looks like the TCP-IP
>>>>>> cowboy. So is there a pattern?
>>>>>>
>>>>>> V/R,
>>>>>>
>>>>>> Daniel Beatty, Ph.D.
>>>>>> Computer Scientist
>>>>>> Code 474300D
>>>>>> 1 Administration Circle. M/S 1109
>>>>>> China Lake, CA 93555
>>>>>> email@hidden
>>>>>> (760)939-7097
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: fed-talk-bounces+daniel.beatty=email@hidden
>>>>>> [mailto:fed-talk-bounces+daniel.beatty=email@hidden]
>>>>>> On Behalf Of Robinson, Paul, DVI/DMA-Fort Meade
>>>>>> Sent: Thursday, August 29, 2013 12:33 PM
>>>>>> To: Disiena, Ridley (GRC-VG00)[DB Consulting Group, Inc.]; Moore,
>>>>>> Dallas
>>>>>> Cc: Apple Fed-Talk List
>>>>>> Subject: Re: [Fed-Talk] Question on Mac approval
>>>>>>
>>>>>> This point Ridley makes (see below) is illustrated by the 10.8
>>>>>> release.
>>>>>> Apple's disk encryption capability changed in 10.8. In 10.7 the CAC
>>>>>> could be used to provide the encryption key making it possible to
>>>>>> boot
>>>>>> up the computer with a CAC. 10.8 dropped this support, so encryption
>>>>>> is via username/password. Once set it is not possible to enable CAC
>>>>>> login.
>>>>>>
>>>>>> The only solution is to procure a third-party disk encryption tool
>>>>>> for
>>>>>> DAR compliance. I expressed this to an Apple rep yesterday and he
>>>>>> says their focus is small groups use of the workstations, despite the
>>>>>> enterprise use of the Apple OS across the Apple enterprise.
>>>>>> Sad really.
>>>>>>
>>>>>> Paul Robinson, CISSP
>>>>>> Defense Media Activity
>>>>>>
>>>>>> From: "Disiena, Ridley (GRC-VG00)[DB Consulting Group, Inc.]"
>>>>>> <email@hidden<mailto:email@hidden>>
>>>>>> Date: Thursday, August 29, 2013 12:31 PM
>>>>>> To: "Moore, Dallas"
>>>>>> <email@hidden<mailto:email@hidden>>
>>>>>> Cc: Apple Fed-Talk List
>>>>>> <email@hidden<mailto:email@hidden>>
>>>>>> Subject: Re: [Fed-Talk] Question on Mac approval
>>>>>>
>>>>>> Another reason in my opinion, is the rapid release cycle from Apple
>>>>>> which is only compounded by the veil of secrecy and lack of
>>>>>> confidence
>>>>>> the federal space has in the future releases. Most if not all
>>>>>> Federal
>>>>>> agencies have no assurance in what security features will remain in
>>>>>> Apple provided operating systems from one version to the next, year
>>>>>> after year, what will be deprecated / left limping with lack of
>>>>>> adequate support, or what will be removed entirely and cease to be a
>>>>>> feature.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Do not post admin requests to the list. They will be ignored.
>>>>>> Fed-talk mailing list (email@hidden)
>>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>> mil
>>>>>>
>>>>>> This email sent to email@hidden
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Fed-talk mailing list (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>
>>>>> This email sent to email@hidden
>>>>
>>>> _______________________________________________
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden