madison
Home / News & Blogs

Torvalds attacks IT industry 'security circus'

Liam Tung, ZDNet Australia, Tom Espiner, ZDNet UK | July 17, 2008 7:05 AM PDT

Summary

The Linux creator has some harsh words for creators of the OpenBSD operating system, as part of a wider critique of what he sees as self-centered behavior in the IT security industry

Topics

Information Technology, Industry, OpenBSD, Bug, Attack, Linux Creator, Torvalds, UNIX, Operating Systems, Open Source, Linux, Security, Software, Linus Torvalds, Linux kernel, Liam Tung, ZDNet Australia
Linux creator Linus Thorvalds has labeled makers of the OpenBSD operating system a "bunch of masturbating monkeys", as part of a wider critique of what he said was self-centered behavior in the IT security industry.

In an email to the Linux kernel developer mailing list, Torvalds said a section of the security industry was dedicated to finding bugs in software only to publicize their findings and gain notoriety.

The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up [the] security impact of bugs" by not clearly labeling them as security flaws.

Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behavior. "It makes heroes out of security people, as if the people who [...] fix normal bugs aren't as important," wrote Torvalds.

What was left behind for the developers were all the "boring" bugs, which Torvalds considered more important due to their volume.

"Boring normal bugs are way more important, just because there's a lot more of them," wrote Torvalds. "I don't think some spectacular security hole should be glorified or cared about as being any more 'special' than a random spectacular crash due to bad locking," he said.

The Linux leader went on to state that "security people are often the black-and-white kind of people that I can't stand".

Torvalds appeared particularly irked by the creators of the OpenBSD operating system, who have focused on security and auditing when developing their variant of Unix. OpenBSD is known to be used in high-security environments such as the US Federal Bureau of Investigation.

"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything else that is also important!" Torvalds concluded.

Torvalds's comments drew various reactions from the OpenBSD developer community. In an email exchange with ZDNet.co.uk, developer Ken Westerback wrote that an interest in security should lead to fixing all bugs.

"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered," wrote Westerback. "I believe that this is the bedrock principle of pursuing security — software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theatre scenery." Westerback wrote that software produced by people interested in security "probably works better in most cases because a belief in simplicity, clarity and consistency usually produces better code than other approaches."

Developer Kjell Wooding agreed that OpenBSD coders treat bugs with equal significance.

"There is a certain irony to Linus's comment there," wrote Wooding in an email to ZDNet.co.uk. "The 'a bug is a bug' principle that he is espousing is exactly the approach taken by the OpenBSD developers that I know. The OpenBSD I know doesn't concentrate on security — it concentrates on correctness."

OpenBSD developer Bob Beck told ZDNet.co.uk that Torvalds's comments showed "ignorance", as OpenBSD coders did take the approach of dealing with bugs equally.

"The comments sound like much of the usual chest beating we are used to seeing to make all the fanboys and girls on the lists swoon," wrote Beck. "Realistically it just demonstrates an ignorance of the OpenBSD project."

Beck added that Torvalds's comments were unfortunate, in that they could encourage Linux "fanboys and girls" to not focus on code quality.

"Those sorts of unfounded statements probably contribute to the type of attitude in Linux distributions that results in them introducing spectacular bugs into software ported into their distributions from OpenBSD, such as the recent Debian vulnerabilities," wrote Beck. "To the fanboys this says 'don't listen to security concerned people — they're just masturbating monkeys'. Which leads to more bugs to fix."

Both Wooding and Beck took Torvalds's comments in good humor. "I don't know what Linus's beef is. He seems to be on the same page with respect to this issue. And the 'masturbating monkey' thing? Well that's just funny," wrote Wooding.

OpenBSD developer Artur Grabowski wrote on Thursday that Torvalds had been in touch with the OpenBSD community.

"I talked to Linus about this already, he was humble about it and said it didn't look like it from the outside that we shared the same view," wrote Grabowski. "We all had a laugh about it."

Talkback Most Recent of 30 Talkback(s)

  • Torvalds attacks IT industry 'security circus'
    So Linus admits that there are security flaws in linux as well as other bugs? I've been saying that for a long time but the fanboys wouldn't believe me. Now that their leader finally admits to it perhaps the fanboys will too.

    Linus Torvalds has always and will always be a chump. He thinks he knows so much more than anyone else about developing an OS and thats why he ticks everyone off. The guy should just keep his mouth shut for once. Maybe if he gets deported out of the U.S. and back to Finland that will change his attitude.

    It sounds more like Linus is jealous because the OpenBSD project is secure and stable and his OS is not. And that OpenBSD folks preach security above all else which makes it a great platform. There has always been a fued between Linus and the OpenBSD crowd. But what really cracks me up is when Theo basically slaps Linus back into reality and puts him in his place. Nothing is funnier than seeing Linus squirm. I can't wait for Theo to comment on this one.
    ZDNet Gravatar
    Loverock Davidson
    17th Jul 2008
  • LD is a chump
    L.D. has always and will always be a chump. He thinks he knows so much more than anyone else about developing an OS and thats why he ticks everyone off.

    OpenBSD, Linux, Unix, all are more secure than Windows. That's a fact even you can't deny.

    -Mike
    ZDNet Gravatar
    SpikeyMike
    17th Jul 2008
  • OMG! How original!
    Did you make that up yourself? You are so original.

    OpenBSD, Linux, Unix, all are more secure than Windows. That's a fact even you can't deny.



    Who said anything about Windows? Do you have that much envy for it that you have to bring it up? Wow.
    ZDNet Gravatar
    Loverock Davidson
    17th Jul 2008
  • .....
    Like a poor marksman you are missing it completely... devil
    ZDNet Gravatar
    Linux User 147560
    17th Jul 2008
  • It was right on target
    You people are in denial today.
    ZDNet Gravatar
    Loverock Davidson
    17th Jul 2008
  • .....
    Only one in denial is you. devil
    ZDNet Gravatar
    Linux User 147560
    17th Jul 2008
  • You're right
    And at least with Theo - he does go on long winded rants, but at least his rants have a purpose to them. Linus seems to be like that annoying student in a class who just doesn't know when to shut up and listen to the professor.

    Yes, security has turned into a circus, but at the same time, down playing a security bug to being equal to that of a US driver bug which results in slower speeds - doesn't give me any hope that he knows the idea of triage.
    ZDNet Gravatar
    Kaiwai
    17th Jul 2008
  • Right you are
    That's why Theo's comments will be welcomed. I want to see him b-slap Linus again. Security buts are definitely important.
    ZDNet Gravatar
    Loverock Davidson
    17th Jul 2008
  • This is amazing!
    After reading the article and then gandering at the commentary, and seeing the explosive personal attacks in the (lack of interesting) commentary responding to your opinion of Linus Torvalds' childish and at best, boorish comment about the security issues vs the ordinary bugs in the Linux code -- How quick these mindless rants came about and brining into it, a personal attack against you, the author of the comment I speak of.

    It is mind-numbing to read such rants for either the Mac or the Linux fan-boys. Mindless diatribes that is being held accountable by the judgments of many people that come here, or anywhere that has an IT publication on the web.

    This ranting by these fan-boys goes passed the word 'absurd' I like Linux, I use Ubuntu as a toy box and test box learning new things. I see fault easily enough in any operating system, and check this out -- To use an odious and contemporary word, they all suck with flaws, get over it!

    Nothing grieves me more than whiners complaining about their issues with Microsoft, Apple and Linux without ever really doing anything productive. It is no surprise that both Linux in any flavor, and for Apple that it is only hovering around 10% of the world's populace that use Microsoft, especially wading through comments as idiotic as these.

    There is no excuse for Linus to lip off and send a lackluster comment out like this, and leaves me to the realization, no matter how good he or anyone here thinks the Linux world is, it is only a dismal and fleeting reflection of these ranting diatribes of those that represent the Open Source community.

    The very next time you Linux Fan-Boys want to dishonor the few hard working people trying to make the PC and IT world a better place, try engaging the mind, expanding your use of language and thought to better suite and represent the community that you value so dearly.

    Also, I might add, leaving people's family members and personal attacks out of your objectives and opinions. You folks out here remind me of a pack of misfit trolling dogs that should be rounded up and affirmatively dealt with!

    Yeah, if you can attempt to bring the "Pro Linux" opinions up a serious notch, which I certainly do not think that you're capable enough, that would really be amazing!
    ZDNet Gravatar
    Kromaethius
    17th Jul 2008
  • Indeed.
    Haha, you got it so right there!
    Shows that there is still a glimmer of hope in the dank world of OS wars.
    ZDNet Gravatar
    JonWoG
    18th Jul 2008
  • Masterbating Monkeys
    So if you put thousands of masterbating monkeys in a room, and gave them 10 years they could apparently created the most secure operating system in the world. Put's an end to *that* argument.
    ZDNet Gravatar
    shane@...
    18th Jul 2008
  • I agree with Linus
    Just look at all the "Arbitrary Code Execution"
    announcements in ZDNet's ZeroDay blog.

    Guess what people? Don't run with administrative
    privileges and virtually all of that shyt goes away.

    Here's the irony, the people most likely to understand what
    "arbitrary code execution" should be the least likely to be
    affected. But in my experience I give people who are
    supposedly "in the know" way too much credit.

    If you insist on running as an administrator on Windows
    XP/2000/Vista without UAC, then this is for you:

    http://www.download.com/RemoveAdmin/3000-2381_4-
    10824971.html?tag=lst-1&cdlPid=10835515

    -M
    ZDNet Gravatar
    betelgeuse68
    17th Jul 2008
  • Priviledge esculation
    If I can run abitrary code you PC then I can esculate the privs to admin. It doesn't matter if you are running as admin because chance are the abitrary code execution is running as different user anyways. It all depends on the vulnerability. Microsoft make is so easy escalate you privs. I'd bypass Admin and go for System instead, then I really own and it doesn't if you are running as basic user or as admin. To top this off it all can be done automatically with a certain nifty tool available for down on the net that I will not mention. There are also a couple of nice web sites for this stuff too if you have bit of programming knowledge as the examples are purposefully crippled by missing line here or there.
    ZDNet Gravatar
    voska1
    17th Jul 2008
  • What are you talking about?
    Nonsense looks like to me.

    "It doesn't matter if you are running as admin because chance
    are the abitrary code execution is running as different user
    anyways. "
    ZDNet Gravatar
    betelgeuse68
    17th Jul 2008
  • You have to get to the machine first...
    And anyone who is truly concerned about security shouldn't be relying on their OS connected directly to the public internet to provide the security anyway. Some level, sure. But if you take away the ability to get directly to the desktop, you filter all your IP traffic through a firewall/IPS device, having AV and Malware scanning on ALL ip based traffic in and out of your network, then you're going to have a very hard time getting into a PC, be it Windows, Linux, Mac or OpenBSD.
    ZDNet Gravatar
    LiquidLearner
    17th Jul 2008
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity