Security Engineering @ Apple, Ex-UK Gov
The intersection of technology (device and national security), and liberal arts (public policy)
| Pronouns | He/Him |
| Threads | https://www.threads.net/@dancunderwood |
| Bluesky | https://bsky.app/profile/underwood.digital |
In case you missed it - here’s six(!) hours of content from my incredible friends and colleagues today on protecting your apps from memory safety vulnerabilities. It was great to meet up with developers and talk about protecting users!
https://www.youtube.com/live/UZeSyodAszc?si=r8JuKKR7dmSZsZ40
“Following rigorous security testing and extensive evaluation by the German government, iPhone and iPad become the first consumer devices approved for use with classified information in NATO restricted environments”
Reminder that Apple is hosting an event on March 5 for developers building software on Apple’s platforms focused on Security.
We're going to present all the technologies that we utilize to make iOS the most secure platform in the world. This is a comprehensive event covering writing security-sensitive components in Swift, Memory Integrity Enforcement (MIE), Pointer Authentication (PAC), hardened allocators, and sandboxing/attack-surface reduction.
Sessions are led by Apple engineers working directly on platform security and security tools.
in-person https://developer.apple.com/events/view/D4MG4S3PJ7/dashboard
online https://developer.apple.com/events/view/TUHA23T82K/dashboard
My peer team at Apple is hiring! If you’re interested in securing cutting edge hardware and collaborating with incredibly skilled engineering teams to deliver great products that people love using then this role may be a good fit.
At WWDC, we unveiled formally verified ML-KEM and ML-DSA #PostQuantum implementations in CryptoKit.
🆕🎥 Last month at Hexagon in Paris, we provided additional insights into the mechanisms used for verifying the implementations using Cryptol, SAW and Isabelle.
The talk also covers the evolution of the Secure Page Table Monitor, a view into Memory Integrity Enforcement, updates to Apple Security Bounty… and a note on the moral character of offensive security work.
It’s great to see an effort to bust the common security myths that end up harming users, and which just create excess noise that prevents the really critical advice and guidance from being spread. The note around Secure by Design is also critical - it’s our responsibility as an industry to remove the burden on users, not create that excess noise.
A really impressive cast of signatories as well!
We’re updating our bounty program with the top award now set at $2 million for zero-click remote exploit chains. In addition - there are increased awards for proximate wireless attacks, WebKit, and Gatekeeper
https://security.apple.com/blog/apple-security-bounty-evolved/
Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards — up to $2 million and a maximum payout in excess of $5 million — expanded research categories, and a flag system for researchers to objectively demonstrate vulnerabilities and obtain accelerated awards.
macOS Tahoe UI has a HUGE new feature for folks like me who have 24/7 Mac Minis running and access them remotely: you can now type the boot password remotely via SSH!
Power on the Mac, then SSH to it. A simple SSH server will handle your request. Typing the password there is equivalent to typing it on the keyboard. The connection then closes and the machine boots normally.
Combine this with "Start up automatically after a power failure" and you can ditch that KVM! #macadmins
Pierre H.
Natalie Silvanovich
Michael Gorbach
Frédéric Jacobs
Miguel Arroz