Apple

So Apple ships some iPods with malware. As George Ou points out here, Apple then displays "arrogance and insincerity" in blaming Microsoft. George is absolutely right, Apple's display was disgusting and offensive to those of us that would like companies to accept responsibility when they screw something up.

But what George is missing is that what Apple did is good marketing. Dare I say it, maybe even great marketing. Huh? Did I say good/great marketing? With the blogosphere in an uproar? With everyone questions the legitimacy of Apple's security posture? Absolutely, this is classic example of why Apple is by far the best marketing organization in technology.

Why? Because their target market is not us. We'll buy their stuff anyway because we KNOW it's more secure. We can get pissed off and blow off steam and call them names. But what are you going to do, buy a new XP machine in protest? Not likely. Or maybe you are a Windows bigot (yes, they exist) - you aren't going to buy a Mac anyway - so they aren't talking to you either.

One of the first keys to good marketing is to stay on message. Apple certainly does that. It's all about the "Windows virus" and how Microsoft's OS should be more "hardy" and resistant to malware - like a Mac. Consumers eat this stuff up. And I suspect quite a few (who love their iPods) will certainly consider buying a Mac when their current machine blows up. If they had a Mac, they wouldn't have this problem.

Of course, it's ridiculous given that Apple created the problem. But the mass market is not comprised of the sharpest tools in the shed.

Another key to good marketing is to speak to your target customer. Apple's customers just want things to work (like their iPod) and because this virus only compromised Windows machines, it's another opportunity to poke Microsoft in the eye. Like they did in the original no virus ad here. See, they always stay on message and they never miss an opportunity to make the competition look bad.

So as much as I'm with George in being disgusted by Apple's actions, sometimes the best marketing makes you want to puke. And this is one of those times.

 

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 7. Link here.

On my Security Incite blog, I've made no bones about how sick I am of Patch Tuesday (here and here). Thankfully the preamble to July's festivities happens during a holiday week, so many of the beat reporters that need this stuff for content are MIA. That's a good thing in my book. But it got me thinking, why does Microsoft pre-announce what they are going to fix anyway?

I checked out Microsoft's web site and saw the following explanation:

 

As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively.

The cynical and devious bastard in me thinks Microsoft is opening holes by pointing out exposures that folks may not have known about. So now the bad guys have roughly six days to get an exploit out there and do some damage.

It's kind of like a bank saying, "We're fortifying the sub-basement under our vault next Tuesday." If you are a bank robber, you know your timetable and where the exposure is. Of course, there is still a lot of work to get in, but you've got a lot more information than you did before. You probably assumed the sub-basement was already fortified, no?

Alas, I also see the other point of view, which is that enterprises (both small and large) need to plan. If Microsoft drops a bomb on Tuesday with a very high profile patch that requires immediate attention, administrators get really pissed. They like to know exactly what is happening and why, even though many of them use automated patching products to "set it and forget it" once it's QA'd by the patch vendor.

The conclusion I come to is that Microsoft is dealing in numbers that mere mortals could only dream about. When they patch something it goes out in volumes of HUNDREDS of millions, not like 10 or 15 or even 1000. They've honed in on a patching process that is far from perfect, but works pretty good over a long period of time. To my knowledge, no one has taken a pre-announced patch and exploited it in the window of opportunity. So they have their bases covered.

There is also a halo effect with most customers about coming clean with issues. Everyone knows that every piece of software has vulnerabilities. Sure Microsoft's software has a lot (relatively more than others), but they acknowledge it and are moving to fix the systemic root causes of the problems.

One man's opinion is that Oracle and Apple should communicate a bit more about things they find. Apple just fixes things, but their software makes the updates relatively transparent and their lack of presence in the data center makes this a non-issue for most enterprises. Oracle, on the other hand, patches once a quarter and doesn't even get to everything. So it's hard to point to Microsoft as a security innovator, but they are eons ahead of the other folks relative to patching problems they created.

As I mentioned in this morning's TDI, Dark Reading put a stake in the ground by defining the "Top 10 Myths of IT Security." The link to the entire article is here. Having no pride, I figure I may as well jump on their coattails, add my two sense, and initiate some good discussion about some topics that I'm sure will create some passionate discourse. So without further ado, let's jump right in:

Myth #1: Epidemic Data Losses (link here)

"Let's all take a breath together: There is no data loss epidemic."

So the Dark Reading guys start off with a bang, that's for sure. They make this statement and then go on to reference the CSI/FBI survey to validate that security risks are going down. WRONG! Let me say that again WRONG!

Attacks are more targeted, so we are seeing less of the massive outbreaks, but I posit that more attacks are successful. We just don't know about most of them. And let's debunk the debunking of this myth: THERE IS A DATA LOSS ISSUE. The fact that is isn't a major, catastrophic issue is just by pure luck.

Millions of customers have had enough information compromised to be potential victims of Identity Theft. Has it happened yet? I don't know. Lots of folks have an issue, but it's hard to point back to one lost laptop, so to speak. And the idea that we've been losing stuff for years and now it's an issue because the Feds make us report it is just asinine. Because the status quo is to screw up doesn't mean we can/should accept it.

So, I give their first myth-buster an C. They are wrong, but the impact has not been felt or correlated back to these data losses.

Myth #2: Anything but Microsoft (link here)

"Nothing is bulletproof these days."

This one is better. Clearly Microsoft is a much bigger target, but that doesn't mean you should just buy a Mac (or use Linux) and not worry about anything. You still have other devices (servers, etc.) and data that can be compromised. Yes, I use a Mac when traveling. I think it is safer and definitely easier to use. It also gives me street cred with the Gen X crowd. OK, not so much. But what it isn't is bulletproof. Everyone should think layers and ensure that your network security posture is strong.

This one is better. B+

I'll be back next week to address a couple more of the myth-busters.

Stop the presses! Analyst Rob Enderle has caught security vendors being...security vendors. Here is InformationWeek's coverage of the news that security vendors are trying to capitalize on these new Mac OS vulnerabilities.

His big issue is that because the security vendors have publicized the vulnerabilities, the hacker community got to work on exploit code. That is crap and a very flawed argument. First of all, it's not like these vulnerabilities are a secret. Every security vendor shares information and there is a big open source community focused on vulnerabilities as well. So it's not like you can really keep this stuff a secret. And the fact that Apple had a fix very soon after the announcement indicates that these issues were not surprises to them.

Secondly, the architecture of the Mac OS means that even if you are infected, it will be hard to get exponential proliferation of the worm. But to think that security vendors wouldn't try to use this as a marketing hook is naive. How many press releases do we see after every Microsoft Patch Tuesday? You know the headlines: "Vendor A's groundbreaking ferpolator stops nasty Microsoft problem before it's an issue." We see at least 15 of these for every high profile issue announced.

Did security vendors take some kind of oath that they wouldn't market their wares opportunitistically? Give me a break! The AV vendors are trying to make their numbers like everybody else, why vilify them because they are doing their job?

Now the impetus is on end users to figure out whether there is anything to the hype or not. Personally, I think it's a non-issue. That being said, I am in the process of buying an AV product for my Mac. I've just been lazy and it's this kind of thing that is a buying catalyst for someone like me, and probably lots of other people. I'd rather be safe (and $40 poorer) than nailed if something really does happen.

So I will buy the insurance. But don't shoot the friggin' insurance salesman because he brings up the issue that someday you might die.