Torvalds attacks IT industry 'security circus'

Torvalds attacks IT industry 'security circus'

Summary: The Linux creator has labelled creators of the OpenBSD operating system 'masturbating monkeys', as part of a wider critique of what he sees as self-centred behaviour in the IT security industry

SHARE:

Linux creator Linus Torvalds has labelled makers of the OpenBSD operating system a "bunch of masturbating monkeys", as part of a wider critique of what he said was self-centred behaviour in the IT security industry.

In an email to the Linux kernel developer mailing list, Torvalds said a section of the security industry was dedicated to finding bugs in software only to publicise their findings and gain notoriety.

The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up [the] security impact of bugs" by not clearly labelling them as security flaws.

Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behaviour. "It makes heroes out of security people, as if the people who [...] fix normal bugs aren't as important," wrote Torvalds.

What was left behind for the developers were all the "boring" bugs, which Torvalds considered more important due to their volume.

"Boring normal bugs are way more important, just because there's a lot more of them," wrote Torvalds. "I don't think some spectacular security hole should be glorified or cared about as being any more 'special' than a random spectacular crash due to bad locking," he said.

The Linux leader went on to state that "security people are often the black-and-white kind of people that I can't stand".

Torvalds appeared particularly irked by the creators of the OpenBSD operating system, who have focused on security and auditing when developing their variant of Unix. OpenBSD is known to be used in high-security environments such as the US Federal Bureau of Investigation.

"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything else that is also important!" Torvalds concluded.

Torvalds's comments drew various reactions from the OpenBSD developer community. In an email exchange with ZDNet.co.uk, developer Ken Westerback wrote that an interest in security should lead to fixing all bugs.

"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered," wrote Westerback. "I believe that this is the bedrock principle of pursuing security — software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theatre scenery."

Westerback wrote that software produced by people interested in security "probably works better in most cases because a belief in simplicity, clarity and consistency usually produces better code than other approaches."

Developer Kjell Wooding agreed that OpenBSD coders treat bugs with equal significance.

"There is a certain irony to Linus's comment there," wrote Wooding in an email to ZDNet.co.uk. "The 'a bug is a bug' principle that he is espousing is exactly the approach taken by the OpenBSD developers that I know. The OpenBSD I know doesn't concentrate on security — it concentrates on correctness."

VIDEO

Dialogue Box

Dialogue Box 7.4: The expanding digital universe

How much data will be created and stored in 50 years' time? Rupert and Charles make some extrapolations and come to a startling conclusion

View full video+

OpenBSD developer Bob Beck told ZDNet.co.uk that Torvalds's comments showed "ignorance", as OpenBSD coders did take the approach of dealing with bugs equally.

"The comments sound like much of the usual chestbeating we are used to seeing to make all the fanboys and girls on the lists swoon," wrote Beck. "Realistically it just demonstrates an ignorance of the OpenBSD project."

Beck added that Torvalds's comments were unfortunate, in that they could encourage Linux "fanboys and girls" to not focus on code quality.

"Those sorts of unfounded statements probably contribute to the type of attitude in Linux distributions that results in them introducing spectacular bugs into software ported into their distributions from OpenBSD, such as the recent Debian vulnerabilities," wrote Beck. "To the fanboys this says 'don't listen to security concerned people — they're just masturbating monkeys'. Which leads to more bugs to fix."

Both Wooding and Beck took Torvalds's comments in good humour. "I don't know what Linus's beef is. He seems to be on the same page with respect to this issue. And the 'masturbating monkey' thing? Well that's just funny," wrote Wooding.

OpenBSD developer Artur Grabowski wrote on Thursday that Torvalds had been in touch with the OpenBSD community.

"I talked to Linus about this already, he was humble about it and said it didn't look like it from the outside that we shared the same view," wrote Grabowski.

Liam Tung writes for ZDNet Australia.

Topics: Apps, Software Development

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • IT industry 'security circus'

    I have always had the idea that security should be the number one priority when writing code, not as an afterthought, like that big Redmond company does. There will always be bugs as long as humans are hand writing programs, it is inevitable.
    ator1940