[Cryptography] best practices considered bad term

[Ralph Holz]

Hi Ian,

I find your argument intriguing, but it is not supported yet by
evidence, and there may be different interpretations to the same
statistics. I am not saying you are wrong, but having actual data to
support that would be great - this is probably an area for qualitative
analysis followed by quantitative:

> I'm not so sure.  If you look at the 2000s, Apple shipped gear that was
> remarkably free from bugs and attacks.  Their security bug list was in
> the 3 figures whereas Microsoft was in the 5 figures.  I suspect that is
> still the case, although I don't track it.

This may also be an artefact of inaccurate reporting of bugs, e.g. due
to a security team that was too small. It may also be an artefact of not
enough people outside poking the software.

> Now, here's the sell:  Over the 2000s, people drained out of the
> Microsoft world to the Apple Mac OSX world pretty consistently.  At the
> start, Apple was tiny.  At the end, the biggest.
> 
> And -- my hypothesis -- they did that in significant part because the
> Mac OSX product was more secure.  By this I mean, no requirement to run
> virus scanners, and until last few years, very little update and change
> requirement.  Which meant more time and more $$$ in users' pockets.

I cannot recall any colleague who gave security as the first argument
for a switch to OS X. It was almost always the convenience of the OS,
plus the coupling to other devices. Sure, this is not a representative
sample - but it makes me ask for some real data.

> I'd say, *in the long run*, Apple beat Microsoft on software security.
> It helped that their hardware was good too, and that they had the sense
> to aim for the premium price range.  By that, I mean Jobs took the long
> view, a decade.  Wouldn't fly in other circumstances of course.

Given that Microsoft has a good development lifecycle in place, this
makes me ask for data even more so. :)

Ralph