Security Curve Weblog

Turns out Allchin's OK. Can we pig-pile on Oracle instead?

Have you seen the ads for the "Truth in Software Commission" hearings over at BigFix.  If you haven't seen it, I highly recommend checking it out.  Their satirical content is absolutely hilarious and it's very much worth the trip (trust me, it's long on laughs and short on the hard-sell for their products.)  Not to wax verbose on this, but even their logo is laugh-out-loud funny (provided they don't move it anytime soon, you can see it on the right of this entry.)  The tagline, "Duc Ergo Sum", could be roughly translated to "You build [it] therefore I am".  Classics humor... not something you see in infosec very often.

All very interesting, and I found it somewhat ironic that the article I saw it on (the article on which I saw the advertisement) was one of the original "post-retraction" articles where Microsoft president Jim Allchin was paraphrased as saying that Windows Vista is so secure it won't require AV.  Now, before you get all worked up like I did when I first heard that, take a moment and look at his response to all the hubbub...  it turns out that he said something a bit more reasonable than how it was originally portrayed - what he really said was hubris-free, unlike how it was originally spun.  And as of now, we're pretty much back to where we started - except with a bunch of retractions, clarifications, and general backtrackery in the industry press. 

So all-in-all, we're net-zero after the "Allchin Incident".  Now you might be wondering - if we're net-zero, why am I bringing it up?  Because of an interesting lesson in all this...  Now, on the surface, there's the obvious lesson of "don't believe everything you read", but that's not the lesson I'm talking about... misquotes and misinterpretations of statements happen, so I don't think we should expect that they won't (or shouldn't).  Instead, the lesson I'm talking about is the willingness on the part of the public and the part of the journalist community to expect hubris on the part of Microsoft and damn them for it when it happens.  Now, that's OK, but what I think is unfair is piling on the big M while simultaneously ignoring (or encouraging) the same type of hubris from other firms.  Here's what I mean...  This thing with Allchin was a pig-pile, right?  I mean, it was the same kind of journalistic feeding-frenzy you see in post-midterm Whitehouse press briefings... brutal.  But compare that frenzy with the reaction of the press to statements made by Oracle VP Hasan Rizv's comments earlier this year:

In an IT environment there are lots of complexities and if you look at the Oracle software, people have to apply the patches... Our customers are so used to high security that when there is a vulnerability they don't apply the fix because they are not used to it, which is an interesting position to be in.

Now, I blogged about this because the hubris of that statement (not to mention it's inaccuracy) seriously got under my skin, but there was pretty much no response from the mainstream industry press... other that is than the sound of crickets all around.  Or remember when Larry Ellison went on record saying that Oracle hasn't had a security problem in twenty years? Where was the pig-pile then?  Ellison's statement was inaccurate, misleading, and dangerous.  But still the crickets won the day.

Or take Apple... who has unrelentingly pushed the "no malware" message in absence of provability and contrary to empirical evidence.  I've griped about that plenty in the past, so I won't go through it again. But guess what?  When Apple makes a statement like this - not only does it not hit the press (at least as something negative,) but humble bloggers who dare to criticize it get their email boxes filled with hostility.  So here's my question: clearly, we're more eager to tear Microsoft down for doing this than other firms. Why is that?  Shouldn't we hold other firms to the same standard?  Isn't it just as offensive when a Oracle makes a statement like this (and really means it)?  Shouldn't it be?  I'm not going to say we should tolerate hubris from Microsoft.  Clearly, we should react in the way that we did and call them on it.  But why do we continue to tolerate this from everybody else? Posted by Ed at November 13, 2006 11:29 AM | TrackBack