We think our software is far more secure than open-source software. It is more secure because we stand behind it, we fixed it, because we built it. Nobody ever knows who built open-source software. (source)Let's analyze this quote for a moment:
We think our software is far more secure than open-source software.Fair enough. Everyone's welcome to their opinion, and there's nothing wrong with standing up for your products.
It is more secure because we stand behind it, we fixed it, because we built it.I wouldn't judge some system's security based on the system maker. Rather I would judge the quality of a system's security based on what independent security experts have said about it and the security principles applied to the system's architecture (e.g. using battle-tested encryption protocols vs. proprietary "security by obscurity" encryption protocols). Ballmer here asserts that Windows security is implied by the fact that Microsoft created it and have improved it over time. To give Microsoft credit, they have made great strides in their products' security as part of their "Trustworthy Computing Initiative" that they launched a couple of years ago.
However, I think many, if not most people (outside of Microsoft sales and marketing) tend to associate the Microsoft software brand with subpar security. This is unfortunate, because there are some good things to be said about the security in systems such as Windows, and Windows and Office get a disproportionate number of attacks because of their dominant market share on the desktop. Still, when it comes to branding, perception is reality, and the weekly announcements of new major vulnerabilities and associated patches to Microsoft products (especially Windows and the bundled Internet Explorer web browser) have taken a heavy toll on the industry's perception of security in products coming out of Microsoft.
Ballmer could make a much more compelling argument if he focused on objective security measures and analyses rather than simply saying "trust us".
Finally, he says:
Nobody ever knows who built open-source softwareThis statement could be kindly called "an extreme exaggeration" but in reality is simply untrue. Although it may not be possible to trace every line of open-source code back to the organization or developer who wrote it, it's quite common that the individual or organization of some open source component is well-known. For instance, IBM's OTI subsidiary wrote the majority of the code in Eclipse and reviewed the many valuable contributions submitted from other organizations and individuals. And in the case of the Linux kernel, there is a well known group of "committers" who create much of the code and review that which they do not create.
Once again, I think that Ballmer would do his company better service by speaking about more objective comparisons and analyses of security rather than comparing Microsoft Windows' not-so-pristine security reputation (again, somewhat unfounded) with a specious argument about not knowing the identities of creators of open-source software.
Steve Ballmer is a very smart man and has made a lot of money for Microsoft (and himself) with his sales and marketing abilities (at heart he's a sales guy, not a hard-core geek). As the saying goes, "the ultimate measure of success is success", but it's still unfortunate that he uses a specious argument on such an important topic as security to bolster Microsoft and spread FUD about open source. Alas, this isn't the first use of this technique in the software industry, and Microsoft isn't the only guilty party. Hopefully the folks who listened to his speech will compare the security of Microsoft products vs. Linux products using more objective criteria than Ballmer used in this quote.
PS - I couldn't find a transcript of the full speech and it would be interesting to see if he elaborated his argument beyond the soundbite listed above. If anyone finds a transcript, please link to it in the comment section below.[Read More]