Torvalds Lambasts The Security Community (Again)

Torvalds Lambasts The Security Community (Again)

Apparently, Linux kernel creator, Linus Torvalds has no problem expressing his opinion, and did so vehemently via back-and-forth e-mails with the editors of Network World this week. What got Torvalds so heated is his perception of how security vulnerabilities are so incredibly over-hyped to the extent that he calls it a "security circus."

What started this whole tirade, was a post Torvalds made to the Linux kernel developer newsgroup four weeks ago where he lobbed his opinions of how the "security circus... glorifies and... encourages the wrong behavior," and where he saved his cruelest and most politically-incorrect statement for the uber-security-minded, OpenBSD developers:

 
Linus Torvalds (Credit: Wikipedia)
"Security people are often the black-and-white kind of people that I can't stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them."

Needless to say, his comments did not sit well with the OpenBSD community. OpenBSD developer, Ken Westerback responded to Torvalds's comments in an e-mail to ZDNet.co.uk editors a few days later:

"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered... I believe that this is the bedrock principle of pursuing security — software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theatre scenery."

Fast-forward to this week's e-mail exchange between Torvalds and Network World, and Torvalds expounded further on his opinion on the state of today's security environment:

"Too often, so-called 'security' is split into two camps: one that believes in nondisclosure of problems by hiding knowledge until a bug is fixed, and one that 'revels in exposing vendor security holes because they see that as just another proof that the vendors are corrupt and crap, which admittedly mostly are,' Torvalds states...

'Both camps are whoring themselves out for their own reasons, and both camps point fingers at each other as a way to cement their own reason for existence,' Torvalds asserts. He says a lot of activity in both camps stems from public-relations posturing.

He says neither camp is absolutely right in any event, and that a middle course, based on fixing things as early as possible without a lot of hype, is preferable.

'You need to fix things early, and that requires a certain level of disclosure for the developers,' Torvalds states, adding, 'You also don't need to make a big production out of it.'"


Torvalds also finds fault with the concept of "security labeling," where seemingly every update to the Linux kernel is blasted out as a security advisory: "What does the whole security labeling give you? Except for more fodder for either of the PR camps that I obviously think are both idiots pushing for their own agenda?" Torvalds additionally commented that "synchronized releases" from vendors with fixes under embargo, only delays the release of timely fixes for known bugs. Torvalds envisions a middle ground where security issues are kept private, but shared with relevant resources and not under a situation where embargoes are "some insane absolute thing."

There is no question that Torvalds likes to speak his mind and stir up controversy. But perhaps that is the whole point. If his assessment that the security community has become a giant self-perpetuating business is accurate, then perhaps some changes to how the security community addresses and fixes bugs requires an overhaul. At the very least, it makes for good drama.
0
+ -

I agree with him. Anti-virus companys don't teach people how to be safe at all. When vista came out they were up in arms because their software didn't work with vista because well vista had better security. If you just behave right on the internet then you don't need it. I don't run a antivirus. I scan once a month or so and I have not had one virus since I got vista. In linux I run as root. Though I've broke my install a few time that was my fault not because someone or something took over my rig.

0
+ -

While for the most part I agree, there have been remote execution exploits that don't require you to do anything (other than be on the net) to get infected.

0
+ -

Just adding a router helps kill a lot of that.

0
+ -

a router with a hardware firewall is the first and best thing to do. Not opening email attachments from people whether you know them or not is one to. Unless it is expected or explained in the email as well. I think Norton and McAfee are crap as well it's almost like knowledgably putting several spybots in your computer. I have been on the internet since before day one in the BBS world. I have gotten a Virus maybe 3 times in all that time and I think it was only two all were fixable except 1 of them.

0
+ -

All good points, but the "typical" user is probably not as tech-savvy as us HH readers. Often, the average user is dependent on what the"experts" tell them to do, and often those "experts" are the security companies and the press. I'd bet that "average" users encounter more legitimate security problems (viruses, phishing e-mails, trojans, etc.) than the average HH user.

0
+ -

I agree that most users need anti virus. But the anti virus companys don't educate people they just try to make money. Not that I blame them because they are a business. Also the avarage user is not running OpenBSD.

Login or Register to Comment
Post a Comment
Username:   Password: