Surprise, Your Headline Was Wrong

It’s nice to know we have passionate readers. A story I wrote a few weeks back — “Surprise, Microsoft Listed As Most Secure OS” — made that clear.

However, there are some issues these readers noted, some more politely than others, that I want to address. Where necessary, I will include the reader responses in italics — and unedited.

For starters, the story has a new headline: “Report Says Windows Gets The Fastest Repairs.” And for good reason. The more rational among our respondents pointed out that Microsoft is not an OS, Windows is. That’s what happens when you improvise a headline late in the day. The headline was misleading, as was stating Microsoft (Windows) was the most secure OS in the headline.

“Suprise, you’re an idiot …who doesn’t know how to read let alone contextualize a snippet of a report which makes no claim that Windows is “more” secure than Apple”

Let’s see. Thirty-nine issues for Windows, 43 for Mac, 63 for Solaris, 98 for HP-UX and 208 for Red Hat Linux in the second half of 2006. So who has the fewest problems? Numerically, Microsoft did, and it had the fastest turnaround time.

What disqualifies Microsoft from such a distinction, as so many pointed out, was the number of severe issues. Windows had 12 in the last six months of 2006, and Mac OS, Linux, HP-UX and Solaris all had one or two. That was what made the headline so inaccurate, and it’s a rightful complaint. But again, I did not downplay this in the story. Rather, I pointed out that Microsoft had far and away the most severe bugs.

A legitimate complaint from many is that Red Hat’s haul of 208 problems wasn’t just confined to the operating system but utilities and other elements of the distribution. You’re all quite right. I would have broken it out if the numbers were available, but they were not.

“You are a liar. The report does not say anything like that. There is nothing in the report that would lead any responsible person into making up such audacious lies.”

It’s called analysis, something we try to do from time to time. Simply regurgitating press releases is not only boring, it does nothing to distinguish us. When something like Symantec’s massive report comes in, any one of us would look it over for the first-day take, which was my first story on the report, then scour it for a follow-up story. Of course anyone is free to disagree with our analysis as was the case here.

I do owe an apology to the folks at Symantec for any grief they may have gotten over the headline or assumptions made off the story. For the record, Symantec never gave an endorsement of one operating system over another. They merely listed the numbers; I drew my own conclusions.

Another reader came closer to the mark:

“I find it highly dubious that with anywhere from 70,000 to 115,000 viruses, trojans, spyware, malware, crapware, etc for the Windows platform and none (zero, zip, nada) for the Mac platform, that the Mac platform can be considered ‘less secure’ than the Windows platform.”

He is correct in the incredible prevalence of Windows malware , but let’s be real: Windows is the target because everyone uses it, not because it’s a poorly coded OS full of holes. If Macintosh or Linux were the dominant platform, they would have all the malware.

But he was incorrect that there is “zip, zero, nada” malware for Mac. There certainly is, and there are certainly vulnerabilities. Ironically, most of the vulnerabilities uncovered on the Mac are found by coders and security experts who are trying to secure the OS. If there’s ever sufficient motivation for the bad guys to target the Mac, they will find many more.

As my earlier reporting indicates, the bad guys are on Windows because, as Willie Sutton said of why he robbed banks, that’s where the money is. (OK so he denied saying that, but it helps get my point across.)

Next page: more reader mail.

Page 2 of 2

Virus writers aren’t interested in stomping on your boot table or BIOS anymore. This is organized crime out to steal people’s financial information, and if you want to cast your net as wide as possible, you don’t waste your time on a platform with less than 5 percent market share (according to IDC).

Don’t delude yourselves into thinking the lack of malware on a platform equals security and solid programming. That was the gist of far too many letters: Windows has the most viruses because it’s the most inferior. Wrong. You Mac and Linux users are being left alone because it’s not worth it to bother with you.

If overnight 90 percent of Americans began using Macs, the explosion in malware on Mac would knock you off your feet. And given Apple’s slow response time (63 days vs. 21 from Microsoft), you might find yourselves wanting. The same holds true for Red Hat Linux.

What really mattered to me was the turnaround time. It doesn’t matter whether you have a sprained knee or a gunshot wound. Would you rather wait a few minutes or a few hours when you go to the emergency room? Speed at plugging the hole adds to an operating system’s overall security, along with the number of holes found.

Therein lies what I felt was the most salient point. Charles King even backed it up to a degree in the story.

As a company under constant assault, Microsoft has gotten fairly skilled at fixing holes quickly. All of the companies listed in the report showed longer delays in fixing security issues, so no one really has bragging rights. This leads me to highlighting one of the better letters on the subject.

“Also the average turnaround days value you give is not useful at all, as you do not break it out into turnaround on severe versus turnaround on medium and low severity. Obviously any developer will prioritise and fix the most crucial issues first, before moving onto the low priority bugs. This then translates to low severity bugs taking longer to address, because they are just that – low severity.”

That’s fair, but I would counter that all security issues should be dealt with at top speed. Just because it’s not a buffer overflow leading to a remote execution of some kind of Trojan doesn’t mean you can take your time. Symantec didn’t go into the issue of how quickly companies responded to severe bugs vs. low-priority bugs.

Habits built over time will reflect in the response to severe issues. If the time comes that you must respond quickly and your responses are equally flabby, your customer base will not be happy.

Then there was the comedy. Here are two letters that are comparable to several others I received:

you talk about OS and why did you leave out BSD ? for once be a neutral person and dont take sides.. I believe OpenBSD and other would be in the top spot.

Did you check the BSDs? If not, that is a serious oversight, and if you did that is a serious omission.

Um, guys? I linked to the report in my original story. There was nothing on BSD in it. It’s a marginal operating system at best.

The rest of the responses ranged from disagreement to outright insult. I won’t even dignify the accusations of a Microsoft payoff for the story with a response. At least the letters settled for being merely obnoxious. Some netizens are behaving far worse these days.

Many people indicated they had never read before finding a link to my story in the blogosphere. Don’t judge us by one inaccurate headline. And to all the open source folks, keep an eye out for the excellent reporting by my colleague Sean Michael Kerner. Thanks for reading.

Andy Patrizio is a senior editor in the San Francisco bureau of

News Around the Web