​Linus Torvalds vs. the internet security pros

A recent Washington Post article entitled "Net of Insecurity" re-bundled old FUD about Linux and the internet's security.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The Washington Post feature story, Net of Insecurity: The kernel of the argument, opens "Fast, flexible and free, Linux is taking over the online world. But there is growing unease about security weaknesses."

Linus Torvalds takes security seriously, but not seriously enough for some critics.

Nonsense. Linux already runs the Internet and it has for over a decade now.

Google, Facebook, Yahoo, Netflix -- unless its name is Microsoft, its Web presence is based solidly on Linux.

Oh, wait, what's this? Microsoft is moving to Linux too. Microsoft Azure Networking principal architect Kamala Subramaniam announced that Azure Cloud Switch (ACS), a Linux-based network program, "allows us the flexibility to scale down the software and develop features that are required for our data-center and our networking needs."

Some people argue, however, that Linux's founder and leader, Linus Torvalds doesn't take security seriously enough. The Post notes that Torvalds has snarled at security experts over the years.

You see, there's nothing new about the conflicts between Torvalds and some security pros.

Sure, quote mining can come up with gems from 2008 such as when he said "the OpenBSD crowd is a bunch of masturbating monkeys." But it misses the context. In the same Linux kernel mailing list message, Torvalds also wrote:

I refuse to bother with the whole security circus in that I think it glorifies - and thus encourages - the wrong behavior. It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just because there's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking.


To me, security is important. But it's no less important than everything *else* that is also important!

Not surprisingly, people who make their living from security are ticked off at Torvalds.

Torvalds does take security seriously. He just doesn't make it the be-all and end-all of his operating system work.

After 30 years of working with operating systems, networking, and security, here's how I see security.

As security expert Bruce Schneier put it, "Security is a process, not a product."

Torvalds agrees. His message, according to the Washington Post is this, "Security of any system can never be perfect. So it always must be weighed against other priorities -- such as speed, flexibility, and ease of use -- in a series of inherently nuanced trade-offs." This is a process, Torvalds suggested, poorly understood by his critics."

The real security problem has always been people. More systems have been broken into as a result of bad security practices, such as lousy passwords, than by clever hackers breaking their way into obscure technical security holes.

Sure, those holes are dangerous, but Linux is open source. Eric S. Raymond, an early open-source intellectual leader, said "Given enough eyeballs, all bugs are shallow." He's right.

That does not mean that open-source software is somehow more secure than other programs. It doesn't.

Open-source's biggest failure to date was OpenSSL's Heartbleed. This security hole broke the Internet's primary security protocol.

It happened because of Magical Thinking. Everyone assumed that OpenSSL must be perfectly safe because it had a reputation for being safe, therefore it was safe. Developers, website developers, security experts, one and all, it seems no one used their eyeballs to check the code to see if it really was safe. It wasn't.

In no small part, that was because there were only two, count 'em, two programmers working on OpenSSL.

Today, The Linux Foundation's Core Infrastructure Initiative (CII), identifies cash-poor, mission-critical open-source projects to make sure such problems don't happen again. There are also best security practice guidelines for open-source projects to help programmers avoid problems.

In the case of Linux, that's not a problem. There are about 10,000 Linux developers. Security isn't job number one for anything like all of them, but they keep their eyes open for potential security bugs.

Does Linux need better security? Sure.

No one doubts that. At the Seoul Linux Kernel Summit, kernel security maintainer James Morris recently presented a long list of significant strategic security problems. These can and will be dealt with.

I, for one, though, trust Linus's gradual approach towards security fixes rather than radical changes that could potentially damage Linux's performance and features. Perfect? No. Better than any other choices? Yes.

Related Stories:

Editorial standards