Torvalds attacks IT industry 'security circus'

Torvalds attacks IT industry 'security circus'

Summary: The Linux creator has some harsh words for creators of the OpenBSD operating system, as part of a wider critique of what he sees as self-centered behavior in the IT security industry

Linux creator Linus Thorvalds has labeled makers of the OpenBSD operating system a "bunch of masturbating monkeys", as part of a wider critique of what he said was self-centered behavior in the IT security industry.

In an email to the Linux kernel developer mailing list, Torvalds said a section of the security industry was dedicated to finding bugs in software only to publicize their findings and gain notoriety.

The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up [the] security impact of bugs" by not clearly labeling them as security flaws.

Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behavior. "It makes heroes out of security people, as if the people who [...] fix normal bugs aren't as important," wrote Torvalds.

What was left behind for the developers were all the "boring" bugs, which Torvalds considered more important due to their volume.

"Boring normal bugs are way more important, just because there's a lot more of them," wrote Torvalds. "I don't think some spectacular security hole should be glorified or cared about as being any more 'special' than a random spectacular crash due to bad locking," he said.

The Linux leader went on to state that "security people are often the black-and-white kind of people that I can't stand".

Torvalds appeared particularly irked by the creators of the OpenBSD operating system, who have focused on security and auditing when developing their variant of Unix. OpenBSD is known to be used in high-security environments such as the US Federal Bureau of Investigation.

"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything else that is also important!" Torvalds concluded.

Torvalds's comments drew various reactions from the OpenBSD developer community. In an email exchange with, developer Ken Westerback wrote that an interest in security should lead to fixing all bugs.

"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered," wrote Westerback. "I believe that this is the bedrock principle of pursuing security — software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theatre scenery." Westerback wrote that software produced by people interested in security "probably works better in most cases because a belief in simplicity, clarity and consistency usually produces better code than other approaches."

Developer Kjell Wooding agreed that OpenBSD coders treat bugs with equal significance.

"There is a certain irony to Linus's comment there," wrote Wooding in an email to "The 'a bug is a bug' principle that he is espousing is exactly the approach taken by the OpenBSD developers that I know. The OpenBSD I know doesn't concentrate on security — it concentrates on correctness."

OpenBSD developer Bob Beck told that Torvalds's comments showed "ignorance", as OpenBSD coders did take the approach of dealing with bugs equally.

"The comments sound like much of the usual chest beating we are used to seeing to make all the fanboys and girls on the lists swoon," wrote Beck. "Realistically it just demonstrates an ignorance of the OpenBSD project."

Beck added that Torvalds's comments were unfortunate, in that they could encourage Linux "fanboys and girls" to not focus on code quality.

"Those sorts of unfounded statements probably contribute to the type of attitude in Linux distributions that results in them introducing spectacular bugs into software ported into their distributions from OpenBSD, such as the recent Debian vulnerabilities," wrote Beck. "To the fanboys this says 'don't listen to security concerned people — they're just masturbating monkeys'. Which leads to more bugs to fix."

Both Wooding and Beck took Torvalds's comments in good humor. "I don't know what Linus's beef is. He seems to be on the same page with respect to this issue. And the 'masturbating monkey' thing? Well that's just funny," wrote Wooding.

OpenBSD developer Artur Grabowski wrote on Thursday that Torvalds had been in touch with the OpenBSD community.

"I talked to Linus about this already, he was humble about it and said it didn't look like it from the outside that we shared the same view," wrote Grabowski. "We all had a laugh about it."

Topics: Operating Systems, Linux, Open Source, Security, Software

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Torvalds attacks IT industry 'security circus'

    So Linus admits that there are security flaws in linux as well as other bugs? I've been saying that for a long time but the fanboys wouldn't believe me. Now that their leader finally admits to it perhaps the fanboys will too.

    Linus Torvalds has always and will always be a chump. He thinks he knows so much more than anyone else about developing an OS and thats why he ticks everyone off. The guy should just keep his mouth shut for once. Maybe if he gets deported out of the U.S. and back to Finland that will change his attitude.

    It sounds more like Linus is jealous because the OpenBSD project is secure and stable and his OS is not. And that OpenBSD folks preach security above all else which makes it a great platform. There has always been a fued between Linus and the OpenBSD crowd. But what really cracks me up is when Theo basically slaps Linus back into reality and puts him in his place. Nothing is funnier than seeing Linus squirm. I can't wait for Theo to comment on this one.
    Loverock Davidson
    • LD is a chump

      L.D. has always and will always be a chump. He thinks he knows so much more than anyone else about developing an OS and thats why he ticks everyone off.

      OpenBSD, Linux, Unix, all are more secure than Windows. That's a fact even you can't deny.

      • OMG! How original!

        Did you make that up yourself? You are so original.

        [i]OpenBSD, Linux, Unix, all are more secure than Windows. That's a fact even you can't deny.

        Who said anything about Windows? Do you have that much envy for it that you have to bring it up? Wow.
        Loverock Davidson
    • .....

      Like a poor marksman you are missing it completely... ]:)
      Linux User 147560
      • It was right on target

        You people are in denial today.
        Loverock Davidson
        • .....

          Only one in denial is you. ]:)
          Linux User 147560
    • You're right

      And at least with Theo - he does go on long winded rants, but at least his rants have a purpose to them. Linus seems to be like that annoying student in a class who just doesn't know when to shut up and listen to the professor.

      Yes, security has turned into a circus, but at the same time, down playing a security bug to being equal to that of a US driver bug which results in slower speeds - doesn't give me any hope that he knows the idea of triage.
      • Right you are

        That's why Theo's comments will be welcomed. I want to see him b-slap Linus again. Security buts are definitely important.
        Loverock Davidson
    • This is amazing!

      After reading the article and then gandering at the commentary, and seeing the explosive personal attacks in the (lack of interesting) commentary responding to your opinion of Linus Torvalds' childish and at best, boorish comment about the security issues vs the ordinary bugs in the Linux code -- How quick these mindless rants came about and brining into it, a personal attack against you, the author of the comment I speak of.

      It is mind-numbing to read such rants for either the Mac or the Linux fan-boys. Mindless diatribes that is being held accountable by the judgments of many people that come here, or anywhere that has an IT publication on the web.

      This ranting by these fan-boys goes passed the word 'absurd' I like Linux, I use Ubuntu as a toy box and test box learning new things. I see fault easily enough in any operating system, and check this out -- To use an odious and contemporary word, they all suck with flaws, get over it!

      Nothing grieves me more than whiners complaining about their issues with Microsoft, Apple and Linux without ever really doing anything productive. It is no surprise that both Linux in any flavor, and for Apple that it is only hovering around 10% of the world's populace that use Microsoft, especially wading through comments as idiotic as these.

      There is no excuse for Linus to lip off and send a lackluster comment out like this, and leaves me to the realization, no matter how good he or anyone here thinks the Linux world is, it is only a dismal and fleeting reflection of these ranting diatribes of those that represent the Open Source community.

      The very next time you Linux Fan-Boys want to dishonor the few hard working people trying to make the PC and IT world a better place, try engaging the mind, expanding your use of language and thought to better suite and represent the community that you value so dearly.

      Also, I might add, leaving people's family members and personal attacks out of your objectives and opinions. You folks out here remind me of a pack of misfit trolling dogs that should be rounded up and affirmatively dealt with!

      Yeah, if you can attempt to bring the "Pro Linux" opinions up a serious notch, which I certainly do not think that you're capable enough, that would really be amazing!
      • Indeed.

        Haha, you got it so right there!
        Shows that there is still a glimmer of hope in the dank world of OS wars.
    • Masterbating Monkeys

      So if you put thousands of masterbating monkeys in a room, and gave them 10 years they could apparently created the most secure operating system in the world. Put's an end to *that* argument.
  • I agree with Linus

    Just look at all the "Arbitrary Code Execution"
    announcements in ZDNet's ZeroDay blog.

    Guess what people? Don't run with administrative
    privileges and virtually all of that shyt goes away.

    Here's the irony, the people most likely to understand what
    "arbitrary code execution" should be the least likely to be
    affected. But in my experience I give people who are
    supposedly "in the know" way too much credit.

    If you insist on running as an administrator on Windows
    XP/2000/Vista without UAC, then this is for you:

    • Priviledge esculation

      If I can run abitrary code you PC then I can esculate the privs to admin. It doesn't matter if you are running as admin because chance are the abitrary code execution is running as different user anyways. It all depends on the vulnerability. Microsoft make is so easy escalate you privs. I'd bypass Admin and go for System instead, then I really own and it doesn't if you are running as basic user or as admin. To top this off it all can be done automatically with a certain nifty tool available for down on the net that I will not mention. There are also a couple of nice web sites for this stuff too if you have bit of programming knowledge as the examples are purposefully crippled by missing line here or there.
      • What are you talking about?

        Nonsense looks like to me.

        "It doesn't matter if you are running as admin because chance
        are the abitrary code execution is running as different user
        anyways. "
      • You have to get to the machine first...

        And anyone who is truly concerned about security shouldn't be relying on their OS connected directly to the public internet to provide the security anyway. Some level, sure. But if you take away the ability to get directly to the desktop, you filter all your IP traffic through a firewall/IPS device, having AV and Malware scanning on ALL ip based traffic in and out of your network, then you're going to have a very hard time getting into a PC, be it Windows, Linux, Mac or OpenBSD.
  • Don't hold back, Linus!!!!

    Tell us how you REALLY feel!! <snicker>
  • Torvalds attacks!

    I agree with Linus on this one.
    • I agree too

      However, now that he's pushing 40 I think it's high time he learned how to voice his opinion like an adult.
      Michael Kelly
    • It's not an "attack" ... it is the TRUTH!!

      What Tovalds is saying is 100% true. Many in the security industry are there just to get glory and are totally irresponsible.

      His words apply to not only Linux, but Windows, Solaris, OS-X, Irix, etc. (ie: any OS).

      When a vulnerability is found, the responsible thing to do is notify the vendor/developer privately and provide enough time to fix the problem. If the vendor/developer is irresponsible (lets say 30 days for a simple problem, 6 months of a huge vulnerability) then and only then should they contemplate releasing the code and info.

      Releasing information about a vulnerability just to get the name is just as bad as using the vulnerability to commit computer crimes. All they do is provide free services to criminals instead of helping to resolve the problem.
      • Competing products...

        They're competing products though. If you found a flaw in your competitor's product, you'd most likely tout it as well in order to bring positive attention to [i]your[/i] product.

        Both parties are in the wrong here. There shouldn't be bugs to begin with and the security team at OpenBSD should be reporting flaws to the Linux devs. But they're competing products so what do you expect?
        Uncle Ebeneezer