Steve Ballmer has a hard job. Being the CEO of a company the size of Microsoft is brutal and exhausting. Against his nature, Ballmer has been trying to change his own persona and the company culture. So far, he appears to have made progress. In my mind, Microsoft is a more mature corporate entity that it used to be. The startup mentality is important to hold on to, but isn’t functional as the core value of a $30 billion company. What Ballmer needs to do is hold on to the best of the existing culture, while transforming it into something new. Tough job. I couldn’t do it.Editorial Notice: All opinions are those of the author and not necessarily those of osnews.com
Ballmer has also re-engineered himself. His combative, hardball salesman nature is inappropriate for a Fortune 500 CEO. You can insert any bean counter joke you want, but CEOs have to balance a lot of different interests. Almost nobody gets it right. Ballmer has done pretty well. But its a strain, and sometimes it shows. It did yesterday in Orlando.
Ballmer was onstage at a Gartner sponsored Tech love-in. I don’t know what he was led to expect, but what he got were some pretty sharp questions. Some of the sharpest were about security, and the constant drumbeat is clearly getting to him. In what I am guessing was a “shoot-from-the-hip” throwback to the old Ballmer, he blurted a few doozies. When asked if open source software is not by definition more secure than closed, he said, “The data doesn’t jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher…There’s no roadmap for Linux. There’s nobody to hold accountable for security issues with Linux. There’s nobody sort of, so to speak, rear end on the line for issues.”
Obviously, the data is suspect. Any comparison between Windows and Linux security bulletins has to take two things into account. First, Red Hat comes with more than 1000 applications. They issue security bulletins for all of them. A Sendmail or MySQL security problem gets publicized the same as a kernel issue. Windows security bulletins concern Windows and its associated applications only. Thus a raw number comparison of bulletin frequency is misleading. In addition, MS and its minions have cited total bulletins for Linux compared to Windows. This is equally misleading. When MS discovers a problem, they issue a bulletin. When a Linux application discovers a problem, every distribution that carries that application issues a bulletin. That can mean more than a dozen bulletins for an important problem. But not everyone needs to pay attention to all the bulletins. I use Mandrake Linux, and ignore bulletins concerning RedHat, SUSE and the rest.
The second reason the data is suspect is that Microsoft has occasionally changed the definition of “critical vulnerabilities”. This raises or lowers the number of criticals without changing the overall number of actual security issues. Are the numbers Ballmer cited critical vulnerabilities by today’s definition or those in effect at the time? And does MS use the same kind of criteria in categorizing Linux vulnerabilities as it does its own?
Apart from these two data problems, there is a more substantive objection. By choosing the appropriate time periods, one could “prove” that winter is hotter than summer. Comparing Windows Server 2003 with RedHat 6.0 (released in 1999) sounds like that kind of exercise. In terms of the actual number of security issues that one needs to act on, there isn’t much doubt that Windows is way ahead (behind?). Groklaw did a wider comparison of the numbers with predictable results.
Ballmer also poured scorn on the patching process in the open source world, saying “The vulnerabilities are there. The fact that someone in China in the middle of the night patched it–there is nothing that says integrity will come out of that process. We have a process that will lead to sustainable level of quality. Not saying we are the cat’s meow here–I’m saying it is absolutely not good reasoning to think you will get better quality out of Linux. ”
Like I said, its getting to him. They may have “a process that will lead to sustainable level of quality”, but it hasn’t so far. And the “someone in China in the middle of the night” isn’t an accurate characterization of the Linux process either.
Mr. Ballmer’s statements don’t actually bother me much. Although his inaccurate “data” can’t go unchallenged. As I said above, this seems to me a throwback to an older, more combative persona. I expect he’ll snap out of it.
What is worth commenting on is the potential he and Mr. Gates show for “executive insulation syndrome”. This is a little known business malady that I’ve just made up. The most blatant example of the syndrome was Alex Trotman. When Mr. Trotman became President and CEO of Ford in 1993, he admitted that he had never in his life actually bought a car. He joined Ford in 1955 as a young man and drove nothing but company cars. Buying a car is a wretched process, and someone who has never done it can’t understand how unpleasant it really is. Or the essentially adversarial relationship it creates between company and customer.
I am guessing that Mr. Ballmer has a small army of IT people that make sure everything he, Gates and the other mucky-mucks touch is all smooth and seamless. I wonder how well he understands what a pain it is to run a system. Any system. Those that actually run multiple operating systems know very well that Linux is not as great as people say, and that Windows is not as bad. But they also know that Linux is unquestionably more secure than Windows. It comes like that out of the box. Windows is insecure out of the box. You can make it secure, but with the patch-a-minute regime in Redmond, its a lot of work to keep it that way. The change to monthly patches doesn’t actually improve the situation. It reduces the workload, but leaves more vulnerabilities unpatched for longer periods.
The “we’re better than Linux when it comes to security” line seems au courant at Microsoft lately. Bill Gates said last week in Germany about security patches, “We’ve gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.” What a wacky guy. Really though, this kind of statement is just self-defeating. It creates a no-win for MS. First, there’s nothing Gates or Ballmer can say to convince me Windows is more secure than Linux. Because in my daily experience, its not. Second, even if it were, that would help me the customer how? I have multiple Windows machines to take care of and switching to Linux across the board is not an option. If it were, I would have. Mr. Ballmer has famously stated a new dedication to customers. I believe he means it. But he should start by dealing with reality rather than spin. Who’s rear end, so to speak, is on the line at Microsoft?