by This week, Apple released a rather large security update to Mac OS X. Predictably, that’s been followed by a flurry of articles in the press speculating as to what this means about OS X’s security relative to other OS’s. I’m not interested in discussing the security of OS X. (Today, anyway.) What bugs me is a lot of the press coverage. The release of a security patch, whether by Apple, Microsoft, or an open-source team, should not be used as a vehicle for speculation that the patched software is insecure.
Patches make a product more secure, but they are also a tacit admission that a security problem existed in the first place. That hits a journalistic nerve—stories about mea culpas make for good copy. But let’s put it in perspective. As systems professionals, we know that all software of any reasonable size has bugs. And for closed-source software, we only have two avenues of visibility into the security of the product: exploit reports (whether in the wild or in the lab), and patch releases.
But the layman doesn’t have this kind of sophistication in understanding security. They think of technology they’re familiar with, like telephones and elevators and jet planes and hospital equipment, as either working or not. And so it’s the responsibility of journalists covering technology, like any other esoteric topic, to not just report the news, but to put it into context. When they use a patch release as a hook to scare laymen about security, they’re failing to put the news into the proper context.
This is nothing new, of course, nor is it confined to technology. "If it bleeds, it leads." People’s beliefs about the increase or decline of the crime rate have more to do with the press coverage of crime than the crime rate itself. The impulse to "cover the controversy", to "sex it up" as they say in Britain, is strong in all types of news media. But the first job of a reporter is to inform, and this sort of coverage doesn’t inform.
Reports of unaddressed security issues or exploits, new features and services, and software designs meant to improve security are all legitimate avenues for discussion of security. But when a patch comes out, then it’s time for "just the facts, ma’am". Maybe you quote a security researcher who will say, "this represents the 463rd security patch this month for Xyz.com, compared to just two for their main competitor ABCcorp, which suggests Xyz.com may have a real problem making their product secure." But then you had better also get a quote pointing out that a product that never gets patched is even more unsafe.
Alarmist news reports are nothing new, I admit. But the real problem, and where it impinges on journalistic ethics, is that these kind of reports discourage vendors from releasing patches until an exploit comes up. A rational executive, looking at the cost-benefit equation for releasing a security patch, is going to have to be asking the question, “is the hit I know the company will take in the press for patching this worth it?” The more critical the stories about patches are, the less likely a company is to release a patch in a timely manner in the future.
(This is why Microsoft’s “patch Tuesday” is a brilliant move: by making the release of patches a ho-hum, regular thing, they reduce the novelty of reporting on it. Of course, it also sets a sort of least-common-denominator; exploits can be in the wild for over a month before finally getting patched, even if the patch can be readied quickly. I’ve also gotta think that the rise in web services has been at least partly due to a web service vendor being able to quietly patch their software without anyone except would-be exploiters being the wiser.)
The press obviously isn’t an impartial observer here, its behavior is affecting the actors. Tech journalists should realize this and pull way back on the alarm lever when writing stories about patches.