Ron Schenone

Torvalds – Fed Up With The Security Circus

Posted by on Aug 15, 2008 | 6 Comments

Linus Torvald who is the founder of the Linux kernel, took on the security folks calling the bug pluggers a bunch of ‘masturbating monkeys’. In a statement Torvalds also states that security has become a circus in which the security folks claim accolades when they discover a hole in software.

He also states that:

“one reason I refuse to bother with the whole security circus is that I think it glorifies — and thus encourages — the wrong behavior. It makes ‘heroes’ out of security people, as if the people who don’t just fix normal bugs aren’t as important. In fact, all the boring normal bugs are way more important, just because there’s a lot more of them.”

It does make one think about how much we are bombarded with holes in software that requires either patches, fixes or repairs that sometimes cause more problems than they sometimes fix. Windows as we all know is notorious for being a security sieve, and even Vista is not 100% reliable when it comes to security. But what software is not vulnerable? Unfortunately no software is impervious to bugs.

He also stated:

Too often, so-called “security” is split into two camps: one that believes in nondisclosure of problems by hiding knowledge until a bug is fixed, and one that “revels in exposing vendor security holes because they see that as just another proof that the vendors are corrupt and crap, which admittedly mostly are,” Torvalds states.

Torvalds went on to say he views both camps as “crazy.”

“Both camps are whoring themselves out for their own reasons, and both camps point fingers at each other as a way to cement their own reason for existence,” Torvalds asserts. He says a lot of activity in both camps stems from public-relations posturing.

This one statement:  ‘Both camps are whoring themselves out for their own reasons’ shows that Torvalds doesn’t mince words in expressing his opinions.

What does this have to do with all of us? I know I personally report these vulnerabilities as they are presented.  Maybe it is time that we place these vulnerabilities in perspective and heed Torvalds words.

What do you think?

Comments welcome.

Source.

  • Ryan

    Well, the UNIX security model, combined with the multitude of Linux security systems mitigate most security problems that will arise, you have to work pretty darned hard to make your Linux box is a likely target for a remote attack.

    Even local privilege elevation is mitigated by DIC/MAC controls, and as such would require a really bright person with just the perfect storm of system setting screwups on the part of the administrator.

    So in that sense, a Linux security bug hardly ever goes above mild or moderate importance, and gets fixed pretty quickly in comparison to Apple, Microsoft, or even other open sourced projects.

    So what Linus is saying, basically, “If there’s a run of the mill security bug, and a crasher bug thats affecting lots of people, prioritize the crasher”, I agree 100%, because an OS is useless if you can’t actually use it to begin with.

    You tell me the last time you saw anyone running an OpenBSD desktop, and I’ll take that back. ;)

  • grannar olice

    ‘Both camps are whoring themselves out for their own reasons’

    Add Linus Torvald to form the third camp, IMHO.

    I have been recently trying to figure out how “secure” Linux “really” is, and it is confused, confusing, obfuscated, and little treated in what I can find online. Security by obscurity is useless, and Linux has obscurity, compared to the rich source of vulnerabilities the Windows community [including [l][u]sers] presents for the commercial malware providers. Nonetheless, even a noob like me can see security problems which merit ‘fixing” [or making the update part of the system, or explaining in "simple" terms how do to it oneself] in Linux compared to, for example, Vista.

    OK, Linus would rather fix [his choice of] O/S operating glitches than solve exploitable vulnerabilities which are shown to him. That is his choice.

    I would rather see Linux head in the direction of having fewer glitches and fewer open vulnerabilities. But that is my preference. I whore myself out [in this forum] for my own reasons, thank U.

  • E2001

    War is Peace
    Freedom is Slavery
    Security is Insecurity

    - Ministry of Truth -

  • http://izanbardprince.wordpress.com Ryan

    @Grannar Olice

    Security of UNIX/Linux/BSD/Mac and “security” in Windows Vista are like comparing apples and bowling balls.

    Yeah, Vista has a few “security” things in place that try to dodge some of the really common, stupid, and obvious problems that the users may not be aware of, but it goes a long way from being comprehensive, all around security, from the ground up.

    The truth of the matter is that Vista makes little difference in the end, because security was an afterthought, tacked on after the fact.

    Fact being that Windows was designed long ago, and not really meant to prioritize security, 9x/Me had none at all, XP had very little, and Vista has a little bit more.

    It’s a shame that they can’t even secure the system without making the user experience a nightmare.

    I’m really hoping that Midori thing is really going to replace Windows.

  • Exothermic Reaction

    I don’t know what you find obscure about Linux or it’s security realm. If you really want to dig into it the source code is out there with the exception of a few proprietary drivers. You can review any of the source code you want with Linux.

    The terms Security through obscurity is used to describe security products or procedures that the vendors feel would be broken if the underlying details are exposed. Any security that relies on keeping it’s underlying details secret is considered broken by most security experts. All it takes is someone to take a close look at how it works, discover the secret and the cat is out of the bag.

    In a good security product or procedure the only secrets are in the keys or credentials used to restrict access.

    Try to look at the windows source code. Sure some of it is available through special agreements, but only Microsoft knows for certain what is or isn’t in windows.

    Exo

  • grannar olice

    @Ryan, “Vista [...]goes a long way from being comprehensive, all around security, from the ground up. [...] Vista [...]security was an afterthought, tacked on after the fact.
    Fact being that Windows was designed long ago, and not really meant to prioritize security, 9x/Me had none at all, XP had very little, and Vista has a little bit more.”

    Thanks for the explanation, I get it now. I was afraid that Vista put something valuable in which Linux, for whatever reason, had not got around to doing. You are saying Linux is and has been basically at the leading edge of security.

    =====

    @Exothermic Reaction “I don’t know what you find obscure about Linux or it’s security realm”

    I don’t understand what I read about various security issues and features. This is my limitation; Linux documentation may not be crafted for my ear and mind. You are right that open code is anything but obscure to those who can read and comprehend it.

    =====

    Thanks to both for clarifying things. I want to learn.