I am getting a bit frustrated with the statistics in the news related to phone sales.

The real message for security is that mobile phones are outselling laptops and other devices by a far margin. Let me delve into the headlines for a minute, however, and try to explain my frustration.

Reuters, for example, headlines with “Google’s Android takes lead in US consumer smartphones: Android devices had 33 pct share in Q2“. Open the article, however, and you you see that they compare Android to RIM.

That is like comparing Linux to Apple Laptop sales. One is an operating system, the other is hardware with an operating system.

A more fair comparison would be to say that hardware A is outselling hardware B. We find that in the article, as a late admission.

Android is available on smartphones from a number of different manufacturers.

NPD said Motorola’s (MOT.N) Droid was the best-selling Android handset in the second quarter among U.S. consumers, followed by HTC’s (2498.TW) Droid Incredible and EVO 4G.

Therefore, Motorola, which is now owned by Nokia, is the best-selling handset of the best-selling operating system. That is why I call this Nokia in the US outsells RIM and Apple in Q2.

Here is an even more egregious example, from the BBC. Their headline reads “Google Android phone shipments increase by 886%”

We should prepare to be wowed. That’s a lot of percentage points, right? Open the article and you find the same error as with Reuters. They bounce back and forth between platforms and devices, software and hardware.

Right away they say that Android sales is split across numerous companies.

Pete Cunningham, an analyst at Canalys, said Android’s sales were in part due to recent launches of “highly compelling” phones.

“We’re really seeing major vendors getting behind the platform,” he said.

In particular, he said, large manufacturers such as HTC, Samsung and Sony Ericsson, all used the platform and had helped drive shipments.

Um, ok. HTC, Samsung, Sony Ericsson get mentioned, but where is Motorola Nokia Siemens? Note above again that the Reuters article called Motorola the Android sales leader.

I find BBC trying to compare software on a chart that has shipments of Symbian far ahead of RIM, Android and Apple. RIM and Apple? Companies that make hardware and software. Android and Symbian? Operating Systems. Mix it all together, ignore the fact that Symbian includes everything from the most basic phone to smart phone…and you get a statistical mess. Strange how they pull the Android market together to get the high percentage but leave alone the question of what that really means…like Nokia might be consolidating their lead position with an Android option on their hardware while RIM, Apple and Microsoft lag behind.

Someone in Android marketing is doing a very good job at confusing the press.

The story, as I mentioned at the start, is really that consumers are buying into an open platform smart phone model. Adoption and upgrade rates are far higher than with more expensive laptops and mobile compute devices. Nokia has a strong lead in the US as well as globally, while RIM is distant second and Apple is third. Microsoft is seeing shrink, which they apparently blame on a transition in OS but everyone knows it’s just another leadership catastrophe (like when CEO Ballmer blamed weak Vista sales on better security *cough*).

Perhaps a reporter could do a more fair evaluation along the lines of Nokia/HTC/Samsung/Sony/RIM/Apple and then Symbian/Android/BBOS/iOS. I have looked but not found one yet.

A brief synopsis of this video by Marc Weber Tobias is “nice package…but this lock should not be used”.

A Model 333 from Biolock USA has a fingerprint reader on a mechanical cylinder. The lock costs nearly $200 and gives the appearance of high security. The following demonstration shows that a paperclip can be inserted to easily defeat the lock.

I see a particularly glaring gap between safety and appearance since the very distinctive and expensive look also indicates it can be easily picked. That shiny blue LED that was probably meant to provide some kind of deterrent effect instead practically advertises a lock with no security.

BioLock has refused to comment but a vendor called BrickHouse Security has agreed to accept returns and discontinue sales of the BioLock Model 333.

Upon hearing this information, BrickHouse Security immediately pulled the BioLock 333 from their product line. “We’re dedicated to offering consumers a quality product and frankly, the BioLock 333 is not that,” said Todd Morris, CEO of BrickHouse Security.

Locks are picked all the time but it is rare to see a vendor take such a firm stance on protecting customers, especially given the apparent lack of concern from a manufacturer.

ISACA has announced that the venerable SAS 70 is going away at the end of 2010:

Statement on Auditing Standard No. 70 (SAS 70) will be replaced by two new standards: an attestation standard that will guide service auditors in the conduct of an examination of, and the resulting reporting on, controls at a service organization and an auditing standard that will guide user auditors in consideration of internal control when processing is performed by a service organization.

These new standards are to be used for periods ending on or after June 15, 2010.

• International Standard on Assurance Engagements No. 3402 (ISAE 3402), Assurance Reports on Controls at a Service Organization
• Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization

ISAE 3402 is the international standard adopted by the International Auditing and Assurance Standards Board (IAASB), while SSAE 16 is the “local” standard adopted by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

One of the big complaints about SAS 70 was that it allowed the entity being audited to drastically limit scope. A test may only include physical security, for example, while logical security controls are ignored. An ISAE 3402/SSAE 16 report still allows this gap, however the audit guidelines state that a report should clearly explain what was not included in the review and report.

Likewise, a complaint about a Type 1 SAS 70 was that it did not test for control effectiveness in operations. This is still present in the new standard, but not exactly the same. A Type 1 report is when an auditor reports if a service provider’s description “fairly presents” their system and whether controls are “suitably designed to achieve control objectives” by a deadline. A Type 2 report adds to this whether the controls operated effectively over a specified period of time.

Although the Type 2 seems similar upon first review, I noted that there is a major difference with the new standard. A SAS 70 Type 2 audit opinion used to be based upon control status on the final day of a review period. An ISAE 3402/SSAE 16 appears to require the opinion to cover the entire period under review. The new Type 2 now also requires a formal written attestation from management.

Mark Shuttleworth is in a defensive position, according to Linux Journal. His Ubuntu has come under fire yet again for contributing far fewer patches to Linux than Red Hat and Novell SuSE.

Canonical’s contribution from the 2.6.15 kernel to 2.6.27-rc6, was 100 patches.

This was against a total of 99.324 patches; Canonical’s share was 0.1 percent. Red Hat was the top contributor from among distributions, with 11,846 patches. Novell had 7222 patches.

Debian and Gentoo, both non-profits, contributed 288 and 241 patches respectively. Canonical, owned by a multi-millionaire, contributed 100 patches.

This might seem to be an odd measure of contribution, as Linux Journal points out. Marketing Linux and making it more user friendly obviously has value. The issue would then just be one of attribution, as Red Hat loyalists explain

Canonical was little more than “marketing organization masquerading as an engineering organization” taking “credit for code that Red Hat engineers wrote.”

Instead of discussing this problem of attribution and how to best fit within the different distributions, however, last week Shuttleworth came out swinging.

Tribalism is when one group of people start to think people from another group are “wrong by default”. It’s the great-granddaddy of racism and sexism. And the most dangerous kind of tribalism is completely invisible: it has nothing to do with someone’s ‘birth tribe’ and everything to do with their affiliations: where they work, which sports team they support, which linux distribution they love.

This is an interesting concept, but philosophically and historically I think he misses the mark.

First the creation of a distinct identity, even for a tribe, can have a positive effort and does not necessarily place others in the wrong. Martin Buber’s book Ich and Du gives many examples of how this might work. Differences with respect can have a more beneficial outcome than trying to form inclusions that are meant to be predictable.

Buber characterizes “I-Thou” relations as “dialogical” and “I-It” relations as “monological.” In his 1929 essay “Dialogue,” Buber explains that monologue is not just a turning away from the other but also a turning back on oneself (R’ckbiegung). To perceive the other as an It is to take them as a classified and hence predictable and manipulable object that exists only as a part of one’s own experiences. In contrast, in an “I-Thou” relation both participants exist as polarities of relation, whose center lies in the between (Zwischen).

The creation of Ubuntu, in other words, formed an identity distinct from Red Hat and SuSE — it created a new distribution with a following that some might call a tribe. Shuttleworth could have instead joined the existing groups, but he struck out on his own in an “I-Thou” effort.

Shuttleworth has an opportunity here to say that groups and tribes should celebrate their differences. The gulf between them is what makes their relationship more beneficial. Instead, he falls prey to a logical fallacy. His blog says that all absolutes are bad. He cites an example from his critics that says “The other guys have never done anything useful”. I would have just called that untrue at face value, but Shuttleworth first calls it tribalism and then equates it to racism:

So if you see someone saying ‘Microsoft is totally evil’, that’s a big red flag for tribal thinking. It’s just like someone saying ‘All black people are [name your prejudice]’. It’s offensive nonsense, and you would be advised to distance yourself from it, even if it feels like it would be fun to wave that pitchfork for a while.

It is offensive because of its content, but more importantly it is a logical fallacy. It has nothing to do with tribalism except for the fact that the I-Thou is being replaced with an I-It. Dislike or disrespect for someone, whether it be from a single person or a whole group, is the same thing.

Unfortunately, Shuttleworth, after making his giant first point about offensive nonsense that comes from generalities, gives us some offensive nonsense that comes from a generality.

Let’s be clear: tribalism makes you stupid. Just like it would be stupid not to hire someone super-smart and qualified because they’re purple, or because they are female, it would be stupid to refuse to hear and credit someone with great work just because they happen to be associated with another tribe.

He has labeled someone as tribal. He then calls tribal stupid. Therefore he wants us to believe that this other person is stupid? How is this different from what he asks everyone not to do? What if he had labeled them American, or labeled them as purple? He falls victim to the very thing he warns against.

Discrimination and hatred is what can make you stupid. An I-Thou relationship does not have to include these factors, it can be a place of reflection on ones self and respect for differences. It can lead to attribution, which is perhaps something Shuttleworth is not prepared to discuss.

More to the point a comment on his article by John Bowman gives a perfect example of someone who now wants to join the Canonical tribe. Note the emphasis on joining a tribal environment:

You make Canonical sound like a place I would enjoy working at. When can I start?

While reading this and thinking about how nice a quality that is of a company to have, about the only thing that came to mind was wonder at how the actual employees are regarding the work that they do. Is it all about the individuals works contributing to the overall product or is it a “we’re all in this together” type of an environment. If its the latter, then sign me up!

Is this person also a stupid tribalist? He responds to Shuttleworth’s rant against “in this together” tribalism by asking to join Ubuntu, if it is an “in this together” environment.

Second, humans clearly have an evolutionary need to socialize. Anthropologists suggest this is from a need for survival, a strength-in-numbers strategy. Discord will push individuals away from each other but a common bond may enable them to overcome the differences and reduce their risk of defending themselves. Moreover, controlled discord can lead to innovation that also will reduce risk. Working together thus has numerous benefits and tribalism could actually make you not only more intelligent but more safe as well. Marshall Sahlins called this the original affluent society.

The position Shuttleworth settles into at the end of his blog post, wildly inconsistent with the beginning, supports this notion. He calls on his followers to chose the right path, follow good values, and things should work out.

I would like to say this to everyone who feels associated with Ubuntu: hold fast to what you know to be true. You know your values. You know how hard you work. You know what an incredible difference your work has made. You know that you do it for a complex mix of love and money, some more the former, others the more latter, but fundamentally you are all part of Ubuntu because you think it’s the most profound and best way to spend your time. Be proud of that.

Aside from the tautological nature of that advice it reminds me of the new tribalists, as found in Daniel Quinn’s novel Ishmael:

There’s nothing fundamentally wrong with people. Given a story to enact that puts them in accord with the world, they will live in accord with the world. But given a story to enact that puts them at odds with the world, as yours does, they will live at odds with the world. Given a story to enact in which they are the lords of the world, they will act like lords of the world. And, given a story to enact in which the world is a foe to be conquered, they will conquer it like a foe, and one day, inevitably, their foe will lie bleeding to death at their feet, as the world is now.

How does one find the right story, or the right path? In conclusion, Shuttleworth is illogical at first but shows strong leadership values in the end. He must know that humans seek social networks to form a sense of value and pride, which is why he calls upon “everyone who feels associated with Ubuntu”. Shuttleworth says his organization actively tries to eliminate tribal thinking, but hopefully I have explained above how this is hypocritical as well as detrimental. Malcolm Gladwell also makes a very compelling argument why this is a bad idea in his book Tipping Point. It is far better that Shuttleworth also says his organization holds respect for others as a core value. This is a great position and as a leader he should practice the same — develop the positive aspects of an I-Thou relationship with SuSE and Red Hat — and the Linux community overall will be enhanced by more security. Then again, I am hoping for respect to come from the same person who apparently has refused to apologize for saying “Linux is hard to explain to girls” in a Linux conference keynote speech.