Torvalds attacks IT industry 'security circus'
Summary: The Linux creator has some harsh words for creators of the OpenBSD operating system, as part of a wider critique of what he sees as self-centered behavior in the IT security industry
In an email to the Linux kernel developer mailing list, Torvalds said a section of the security industry was dedicated to finding bugs in software only to publicize their findings and gain notoriety.
The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up [the] security impact of bugs" by not clearly labeling them as security flaws.
Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behavior. "It makes heroes out of security people, as if the people who [...] fix normal bugs aren't as important," wrote Torvalds.
What was left behind for the developers were all the "boring" bugs, which Torvalds considered more important due to their volume.
"Boring normal bugs are way more important, just because there's a lot more of them," wrote Torvalds. "I don't think some spectacular security hole should be glorified or cared about as being any more 'special' than a random spectacular crash due to bad locking," he said.
The Linux leader went on to state that "security people are often the black-and-white kind of people that I can't stand".
Torvalds appeared particularly irked by the creators of the OpenBSD operating system, who have focused on security and auditing when developing their variant of Unix. OpenBSD is known to be used in high-security environments such as the US Federal Bureau of Investigation.
"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything else that is also important!" Torvalds concluded.
Torvalds's comments drew various reactions from the OpenBSD developer community. In an email exchange with ZDNet.co.uk, developer Ken Westerback wrote that an interest in security should lead to fixing all bugs.
"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered," wrote Westerback. "I believe that this is the bedrock principle of pursuing security — software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theatre scenery." Westerback wrote that software produced by people interested in security "probably works better in most cases because a belief in simplicity, clarity and consistency usually produces better code than other approaches."
Developer Kjell Wooding agreed that OpenBSD coders treat bugs with equal significance.
"There is a certain irony to Linus's comment there," wrote Wooding in an email to ZDNet.co.uk. "The 'a bug is a bug' principle that he is espousing is exactly the approach taken by the OpenBSD developers that I know. The OpenBSD I know doesn't concentrate on security — it concentrates on correctness."
OpenBSD developer Bob Beck told ZDNet.co.uk that Torvalds's comments showed "ignorance", as OpenBSD coders did take the approach of dealing with bugs equally.
"The comments sound like much of the usual chest beating we are used to seeing to make all the fanboys and girls on the lists swoon," wrote Beck. "Realistically it just demonstrates an ignorance of the OpenBSD project."
Beck added that Torvalds's comments were unfortunate, in that they could encourage Linux "fanboys and girls" to not focus on code quality.
"Those sorts of unfounded statements probably contribute to the type of attitude in Linux distributions that results in them introducing spectacular bugs into software ported into their distributions from OpenBSD, such as the recent Debian vulnerabilities," wrote Beck. "To the fanboys this says 'don't listen to security concerned people — they're just masturbating monkeys'. Which leads to more bugs to fix."
Both Wooding and Beck took Torvalds's comments in good humor. "I don't know what Linus's beef is. He seems to be on the same page with respect to this issue. And the 'masturbating monkey' thing? Well that's just funny," wrote Wooding.
OpenBSD developer Artur Grabowski wrote on Thursday that Torvalds had been in touch with the OpenBSD community.
"I talked to Linus about this already, he was humble about it and said it didn't look like it from the outside that we shared the same view," wrote Grabowski. "We all had a laugh about it."
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Torvalds attacks IT industry 'security circus'
Linus Torvalds has always and will always be a chump. He thinks he knows so much more than anyone else about developing an OS and thats why he ticks everyone off. The guy should just keep his mouth shut for once. Maybe if he gets deported out of the U.S. and back to Finland that will change his attitude.
It sounds more like Linus is jealous because the OpenBSD project is secure and stable and his OS is not. And that OpenBSD folks preach security above all else which makes it a great platform. There has always been a fued between Linus and the OpenBSD crowd. But what really cracks me up is when Theo basically slaps Linus back into reality and puts him in his place. Nothing is funnier than seeing Linus squirm. I can't wait for Theo to comment on this one.
LD is a chump
OpenBSD, Linux, Unix, all are more secure than Windows. That's a fact even you can't deny.
-Mike
OMG! How original!
[i]OpenBSD, Linux, Unix, all are more secure than Windows. That's a fact even you can't deny.
[/i]
Who said anything about Windows? Do you have that much envy for it that you have to bring it up? Wow.
.....
It was right on target
.....
You're right
Yes, security has turned into a circus, but at the same time, down playing a security bug to being equal to that of a US driver bug which results in slower speeds - doesn't give me any hope that he knows the idea of triage.
Right you are
This is amazing!
It is mind-numbing to read such rants for either the Mac or the Linux fan-boys. Mindless diatribes that is being held accountable by the judgments of many people that come here, or anywhere that has an IT publication on the web.
This ranting by these fan-boys goes passed the word 'absurd' I like Linux, I use Ubuntu as a toy box and test box learning new things. I see fault easily enough in any operating system, and check this out -- To use an odious and contemporary word, they all suck with flaws, get over it!
Nothing grieves me more than whiners complaining about their issues with Microsoft, Apple and Linux without ever really doing anything productive. It is no surprise that both Linux in any flavor, and for Apple that it is only hovering around 10% of the world's populace that use Microsoft, especially wading through comments as idiotic as these.
There is no excuse for Linus to lip off and send a lackluster comment out like this, and leaves me to the realization, no matter how good he or anyone here thinks the Linux world is, it is only a dismal and fleeting reflection of these ranting diatribes of those that represent the Open Source community.
The very next time you Linux Fan-Boys want to dishonor the few hard working people trying to make the PC and IT world a better place, try engaging the mind, expanding your use of language and thought to better suite and represent the community that you value so dearly.
Also, I might add, leaving people's family members and personal attacks out of your objectives and opinions. You folks out here remind me of a pack of misfit trolling dogs that should be rounded up and affirmatively dealt with!
Yeah, if you can attempt to bring the "Pro Linux" opinions up a serious notch, which I certainly do not think that you're capable enough, that would really be amazing!
Indeed.
Shows that there is still a glimmer of hope in the dank world of OS wars.
Masterbating Monkeys
I agree with Linus
announcements in ZDNet's ZeroDay blog.
Guess what people? Don't run with administrative
privileges and virtually all of that shyt goes away.
Here's the irony, the people most likely to understand what
"arbitrary code execution" should be the least likely to be
affected. But in my experience I give people who are
supposedly "in the know" way too much credit.
If you insist on running as an administrator on Windows
XP/2000/Vista without UAC, then this is for you:
http://www.download.com/RemoveAdmin/3000-2381_4-
10824971.html?tag=lst-1&cdlPid=10835515
-M
Priviledge esculation
What are you talking about?
"It doesn't matter if you are running as admin because chance
are the abitrary code execution is running as different user
anyways. "
You have to get to the machine first...
Don't hold back, Linus!!!!
Torvalds attacks!
I agree too
It's not an "attack" ... it is the TRUTH!!
His words apply to not only Linux, but Windows, Solaris, OS-X, Irix, etc. (ie: any OS).
When a vulnerability is found, the responsible thing to do is notify the vendor/developer privately and provide enough time to fix the problem. If the vendor/developer is irresponsible (lets say 30 days for a simple problem, 6 months of a huge vulnerability) then and only then should they contemplate releasing the code and info.
Releasing information about a vulnerability just to get the name is just as bad as using the vulnerability to commit computer crimes. All they do is provide free services to criminals instead of helping to resolve the problem.
Competing products...
Both parties are in the wrong here. There shouldn't be bugs to begin with and the security team at OpenBSD should be reporting flaws to the Linux devs. But they're competing products so what do you expect?