This post comes from reading Jerry Fishenden's blog entry about the issues of security and identity technologies. I find that Jerry is asking questions that echo my own about those topics. Recently I have been amazed at watching the Apple TV spots, where Apple does its best (very effectively I might add) to lampoon the dorky "PC" on the issue of viruses and spyware, while Apple’s cool dude "Mac" talks about being safe as long as you are on the Apple products. For years I have watched as the OSS community has insisted that collaboratively produced software is inherently more secure. I think both Apple and the OSS community are short-sighted and a bit irresponsible in their approach.

 

As Jerry points outs when speaking about security technologies,

"No wonder so many policymakers find it hard to make sense of the multitude of claims made about different technologies: it's hard to distinguish between marketing and evidential issues, hard to separate hype from reality. And that's for those of us in the industry long experienced with distinguishing between aspiration and sales claims versus evidence."

I think it is counterproductive for anyone in the software world to differentiate on the topic of security by suggesting that someone else’s security stinks; it ends up sending the wrong message altogether. I’m fine with people saying that they are improving the security of their product or technology as it is all good to raise confidence for all consumers. Do you really think that you are more secure from viruses on the Mac than the PC? On Linux vs. Solaris? On anything connected to the Internet from anything else connected to the Internet? Is this because of the inherent quality of the technology you are using...or could it be other factors?

 

Let's play around with this a bit.

 

Consider the room you are sitting in right now, reading my blog. I'd bet it would be a hell-of-a-lot more secure if it had no doors, windows, air vents, light or electrical sockets, or any other breach in the perfection of its walls. Of course, the functionality of the room would be rather degraded. Additionally, if you just had a beat-up old chair, a battered desk with coffee stains on it, and a sheet of paper with my inane musings in it...not much of an incentive for breaking and entering. But if, instead, your room had file cabinets with the personal information of 10,000 people and credit card and bank account numbers for all of them, suddenly the room becomes more interesting for those with nefarious intent. Or, it could simply be that the perfectly white walls of your room (even from the outside) are just too agonizingly tempting for someone who wants to spray-paint graffiti all over them.

 

Maybe you were really smart—when you put in your door, you made it double thick with seven locks and a police bar. Of course, those locks are only good if you remember to use them. Maybe, over time, it is just too much of a hassle to bring seven keys with you, so you only lock the one that lets you in and out most quickly. The possibility of greater security is there, but it comes into conflict with the usability of the room.

 

In essence, I’m trying to get to the fact that the quality of the target (that which is being protected) matters, as does the technology that is doing the protecting, as do the procedures of the people doing the protecting. This is hardly a new revelation in the world of security.

 

So here is my concern with all of this. People writing viruses are criminals (to me). People cracking into others’ systems are criminals (to me). These criminals are completely agnostic as to what system you are on and whose security technology you choose to use. If you have a completely locked down Windows system and follow all the guidelines, install all the patches, put in place great procedures (and actually observe them) – you will have a safer place in which to work and store your data. Same is true for a Mac, same is true for Linux, same is true for any other system.

 

I know I am naïve in this, and that my own company seeks to differentiate on the topic of security. I’ve been running Vista for the past 2 months, and it has made great strides on the security path (once you get used to how often it stops to ask you if you are sure you want a given piece of code to execute on the system). But, to me, all of the software and hardware providers should be linking arms and singing kumbaya on security. We all lose when consumers feel less safe. We all lose whenever there is another headline about Apple, Sun, Microsoft, or any other provider issuing some group of security packages.

 

Policy makers are under pressure to make the world safer for consumers. They want concrete answers to an issue that has no absolutes in it. If the Mac ads are successful in getting more people to buy their products, then they will undoubtedly become a more interesting target for those writing spyware and viruses and looking for security holes. I can’t guarantee the success of their products in the market, but I will guarantee that they will be attacked if they are successful.

 

Maybe then they’ll run an ad where “Mac” and “PC” and “Tux” get together and decide that the problem isn’t each other, it is the nincompoops who think it is cool to vandalize, spy, and steal.