E-Mail:

Torvalds - Fed Up With The Security Circus

Friday, August 15th, 2008
by Ron Schenone

Linus Torvald who is the founder of the Linux kernel, took on the security folks calling the bug pluggers a bunch of ‘masturbating monkeys’. In a statement Torvalds also states that security has become a circus in which the security folks claim accolades when they discover a hole in software.

He also states that:

“one reason I refuse to bother with the whole security circus is that I think it glorifies — and thus encourages — the wrong behavior. It makes ‘heroes’ out of security people, as if the people who don’t just fix normal bugs aren’t as important. In fact, all the boring normal bugs are way more important, just because there’s a lot more of them.”

It does make one think about how much we are bombarded with holes in software that requires either patches, fixes or repairs that sometimes cause more problems than they sometimes fix. Windows as we all know is notorious for being a security sieve, and even Vista is not 100% reliable when it comes to security. But what software is not vulnerable? Unfortunately no software is impervious to bugs.

He also stated:

Too often, so-called “security” is split into two camps: one that believes in nondisclosure of problems by hiding knowledge until a bug is fixed, and one that “revels in exposing vendor security holes because they see that as just another proof that the vendors are corrupt and crap, which admittedly mostly are,” Torvalds states.

Torvalds went on to say he views both camps as “crazy.”

“Both camps are whoring themselves out for their own reasons, and both camps point fingers at each other as a way to cement their own reason for existence,” Torvalds asserts. He says a lot of activity in both camps stems from public-relations posturing.

This one statement:  ‘Both camps are whoring themselves out for their own reasons’ shows that Torvalds doesn’t mince words in expressing his opinions.

What does this have to do with all of us? I know I personally report these vulnerabilities as they are presented.  Maybe it is time that we place these vulnerabilities in perspective and heed Torvalds words.

What do you think?

Comments welcome.

Source.

Tags
Categories

6 Comments

Ryan

August 16th, 2008
at 1:55am

Well, the UNIX security model, combined with the multitude of Linux security systems mitigate most security problems that will arise, you have to work pretty darned hard to make your Linux box is a likely target for a remote attack.

Even local privilege elevation is mitigated by DIC/MAC controls, and as such would require a really bright person with just the perfect storm of system setting screwups on the part of the administrator.

So in that sense, a Linux security bug hardly ever goes above mild or moderate importance, and gets fixed pretty quickly in comparison to Apple, Microsoft, or even other open sourced projects.

So what Linus is saying, basically, “If there’s a run of the mill security bug, and a crasher bug thats affecting lots of people, prioritize the crasher”, I agree 100%, because an OS is useless if you can’t actually use it to begin with.

You tell me the last time you saw anyone running an OpenBSD desktop, and I’ll take that back. ;)

grannar olice

August 16th, 2008
at 10:49am

‘Both camps are whoring themselves out for their own reasons’

Add Linus Torvald to form the third camp, IMHO.

I have been recently trying to figure out how “secure” Linux “really” is, and it is confused, confusing, obfuscated, and little treated in what I can find online. Security by obscurity is useless, and Linux has obscurity, compared to the rich source of vulnerabilities the Windows community [including [l][u]sers] presents for the commercial malware providers. Nonetheless, even a noob like me can see security problems which merit ‘fixing” [or making the update part of the system, or explaining in "simple" terms how do to it oneself] in Linux compared to, for example, Vista.

OK, Linus would rather fix [his choice of] O/S operating glitches than solve exploitable vulnerabilities which are shown to him. That is his choice.

I would rather see Linux head in the direction of having fewer glitches and fewer open vulnerabilities. But that is my preference. I whore myself out [in this forum] for my own reasons, thank U.

E2001

August 16th, 2008
at 2:07pm

War is Peace
Freedom is Slavery
Security is Insecurity

- Ministry of Truth -

Ryan

August 16th, 2008
at 2:46pm

@Grannar Olice

Security of UNIX/Linux/BSD/Mac and “security” in Windows Vista are like comparing apples and bowling balls.

Yeah, Vista has a few “security” things in place that try to dodge some of the really common, stupid, and obvious problems that the users may not be aware of, but it goes a long way from being comprehensive, all around security, from the ground up.

The truth of the matter is that Vista makes little difference in the end, because security was an afterthought, tacked on after the fact.

Fact being that Windows was designed long ago, and not really meant to prioritize security, 9x/Me had none at all, XP had very little, and Vista has a little bit more.

It’s a shame that they can’t even secure the system without making the user experience a nightmare.

I’m really hoping that Midori thing is really going to replace Windows.

Exothermic Reaction

August 16th, 2008
at 5:14pm

I don’t know what you find obscure about Linux or it’s security realm. If you really want to dig into it the source code is out there with the exception of a few proprietary drivers. You can review any of the source code you want with Linux.

The terms Security through obscurity is used to describe security products or procedures that the vendors feel would be broken if the underlying details are exposed. Any security that relies on keeping it’s underlying details secret is considered broken by most security experts. All it takes is someone to take a close look at how it works, discover the secret and the cat is out of the bag.

In a good security product or procedure the only secrets are in the keys or credentials used to restrict access.

Try to look at the windows source code. Sure some of it is available through special agreements, but only Microsoft knows for certain what is or isn’t in windows.

Exo

grannar olice

August 16th, 2008
at 8:26pm

@Ryan, “Vista [...]goes a long way from being comprehensive, all around security, from the ground up. [...] Vista [...]security was an afterthought, tacked on after the fact.
Fact being that Windows was designed long ago, and not really meant to prioritize security, 9x/Me had none at all, XP had very little, and Vista has a little bit more.”

Thanks for the explanation, I get it now. I was afraid that Vista put something valuable in which Linux, for whatever reason, had not got around to doing. You are saying Linux is and has been basically at the leading edge of security.

=====

@Exothermic Reaction “I don’t know what you find obscure about Linux or it’s security realm”

I don’t understand what I read about various security issues and features. This is my limitation; Linux documentation may not be crafted for my ear and mind. You are right that open code is anything but obscure to those who can read and comprehend it.

=====

Thanks to both for clarifying things. I want to learn.

What Do You Think?

 

Blogroll, General, Innovation, Internet, Technology - Jul 10, 2009

Our GM May Be Gearing For Total Failure

Amazon, Blogroll, General, Innovation, Internet, Technology - Jul 9, 2009

Best Buy + TiVo = Partnership

Blogroll, Firefox, General, Innovation, Internet, Technology - Jul 6, 2009

Internet Explorer Continues To Lose Market Share

AVG, Avast, Blogroll, General, Innovation, Internet, McAfee, Microsoft, Symantec - Norton, Technology - Jul 5, 2009

Security Updates As Of July 05, 2009

66 queries / 0.541 seconds.