Pot calling the kettle black?
 
Microsoft has gotten on Apple’s case about security. Is that the pot calling the kettle black, or what? But, just maybe, they’re not wrong. Maybe both the pot and the kettle are black. In his blog, Microsoft program manager Stephen Toulouse, who often serves as a Microsoft security spokesman, complains about various aspects of Apple’s security response, including issues with its “successive refinement” of security fixes. Statements include that “Apple needs good security coordination inside the company” and that they should “appoint a security head and change their view on security.” The blog also points out a whole bunch of things that Apple could do better.
 
Mr. Toulouse is not wrong, and much of what he says should be paid attention to. If someone (or, in this case, some company) has made a lot of mistakes and learned from those mistakes, someone else (or some other company) would be well off to learn from those mistakes too, rather than making the same mistakes over again. We all know Microsoft makes an awful lot of mistakes. But they’re pretty darn good about learning from those mistakes. If you remember the first few failed versions of Microsoft Windows, back in the 1980s, you probably also remember how well Microsoft learned from those failed versions when it came out with the very successful Windows 3.1 in 1989 or so. Or how they ignored the Internet for a while in the 1990s, but then realized their mistake and went out and (illegally perhaps) clobbered Netscape.
 
Or how, until recently, they ignored security for a while, but have gone back and made it a very high priority. One of the main reasons Windows Vista is now delayed (again) until 2007 is that Microsoft is devoting so much effort to its security. Will it be half as secure as Mac OS X? No way. But will it be ten times as secure as early versions of Windows XP? Probably.
 
As part of learning their security lesson, Microsoft has put seemingly excellent procedures in place for addressing and communicating about security issues as those issues come up. They’ve had so much practice in this area that they’ve gotten pretty darn good at it. Apple, for better or worse, is just starting to get real-world practice. So they do need to learn from Microsoft, and there would be nothing wrong with their doing so. After all, Microsoft has learned from Apple in a whole lot of other areas (for instance with the above-mentioned Windows 3.1).
 
Of course Apple has already done some learning from Microsoft and others and is addressing security head-on. They do have a security team, a security update system, and a security Web site. And they’ve also taught others a whole lot about how a focus on the user leads to a focus on security. But, as Mr. Toulouse notes, there are a number of items missing from Apple’s security Web site and communication strategy, and probably some organizational improvements that can be made in this area within Apple too. As preposterous as it may seem, Mr. Toulouse (and Microsoft) may well be more right than wrong.
Thursday, March 23, 2006