[Cryptography] best practices considered bad term

Ángel González angel at crypto.16bits.net
Thu Feb 5 18:18:55 EST 2015


On 04-02-2015 ianG wrote:
> > So far no one has managed to find the way to market the qualities
> >that emerge from solid internal design and care.
>
> I'm not so sure.  If you look at the 2000s, Apple shipped gear that was 
> remarkably free from bugs and attacks.  Their security bug list was in 
> the 3 figures whereas Microsoft was in the 5 figures.  I suspect that is 
> still the case, although I don't track it.

We can perform a quick and not extremely accurate comparison looking at:

http://www.cvedetails.com/vendor/26/Microsoft.html
http://www.cvedetails.com/vendor/49/Apple.html

On 2014, 376 vulnerabilities were found in Microsoft products, compared
to 286 in Apple ones.
So not so distant as you seem to expect -and in fact in 2012 an 80% more
of vulnerabilities were found in Apple products than in Microsoft ones-

At early 2000s the comparison was brutal, though.
(Not necessarily meaning Apple did things better, perhaps they were less
recorded, there was certainly less attention given to Apple
vulnerabilities, and they had drifted much less from BSD, which has an
excellent security record.)


Funnily, on 2015 Apple already has 48 vulnerabilities, while Microsoft
only 10. Too early to predict anything, though.



> And -- my hypothesis -- they did that in significant part because the 
> Mac OSX product was more secure.  By this I mean, no requirement to run 
> virus scanners, and until last few years, very little update and change 
> requirement.  Which meant more time and more $$$ in users' pockets.

I'd say that the perception was “Microsoft is insecure”, rather than
“Apple is secure”



> I'd say, *in the long run*, Apple beat Microsoft on software security. 
> It helped that their hardware was good too, and that they had the sense 
> to aim for the premium price range.  By that, I mean Jobs took the long 
> view, a decade.  Wouldn't fly in other circumstances of course.


The price is a marketing decision, with little relationship to the
product security (actually, developing a product you will support in an
insecure way is more expensive in the long run).
By the way, it was John Sculley who went to made Macintosh expensive,
back in 1984, in opposition to Steve Jobs, who wanted a more affordable
price.


Did Apple beat Microsoft on software security? I wouldn't affirm that much.
It certainly has a big advantage in being a much more closed ecosystem, and
thus it's much simpler for them to produce secure solutions. However, Apple
seems to deal with  similar issues to Microsoft in this field, with an
increasing number of security problems reported. And they too have prioritised features or ui over security at times.



In the end, "solid internal design and care" is not something observable or
easily noticeable by the end user. Unlike other properties, like performance,
price (concrete) or appearance (abstract), security is an intangible.



More information about the cryptography mailing list