
Linus Torvalds on the "security circus" (2008) - vog
http://lkml.org/lkml/2008/7/15/296
======
ori_b
He's wrong. Security bugs affect people who might not be using the system at
the time, while ordinary bugs only affect the one user.

If a server with credit card information permanently corrupts the filesystem,
and bricks all the hardware, and more or less does the worst that a non-
security related software failure can do, the server gets reimaged or
replaced. It costs maybe a few thousand dollars to replace. Nobody is really
affected because failures are expected.

If a server with credit card information has a security bug, then credit card
fraud and it's associated costs have to be dealt with, identities might have
been stolen, and in general, large numbers of people are affected, possibly
severely.

~~~
fmx
Agreed. His broader point about not "glorifying" security researchers is
valid, but he goes way too far when he says security bugs aren't more
important.

There is no point in telling him he's wrong, either. He'll just call you a
"masturbating monkey".

~~~
jasonlotito
So what you are saying is that security fixes should be highlighted separately
from regular bug fixes? That in a release, these security fixes should be
highlighted and made clear specifically what security fixes went into place?

Because that is what is being discussed here.

~~~
tptacek
This is at the end of the day just so silly. Besides the fact that this is an
argument from something like 3 years ago, it's also the case that Linus and
the kernel development team just don't have to have anything to do with this
process. If you want to pursue secret handshake security for Linux code, set
up a project to do that. Projects doing exactly that date back to the mid
'90s.

Is this really anything more than yet another opportunity for message board
geeks to go "RARRR!"?

~~~
jasonlotito
"This is at the end of the day just so silly."

What is silly? Really, I have no clue as to what you are trying to say.

------
tptacek
Ancient. I stand by my response the first time this appeared on HN:

<http://news.ycombinator.com/item?id=247753>

~~~
BrandonM
Thanks for that link... the context and information there is very good.

As an aside: Holy crap! Reading that thread reminded me how high signal/noise
used to be on HN. Quite sad.

~~~
tptacek
I blame story selection. There is a pronounced unmistakable bias towards
bullshit controversies on HN.

------
JoachimSchipper
This won't be popular, but: Linus' attitude is part of why Linux _sucks_ at
security.

Go to e.g. osvdb.org, search for 'Linux kernel': 878 results. Search for
'Solaris', which includes _many_ non-kernel vulnerabilities: 595 results;
search for 'freebsd': 171, including e.g. ftpd issues; search for 'OpenBSD':
93, again including stuff like an XSS in OpenBGPD's bgplg ( _very_ much not
part of the kernel!) This is not merely historical; Full-Disclosure readers
get a "vulnerabilities in Linux kernel: 20 issues fixed" every month or so.

Yes, Linux has some really nifty stuff, lots of people are looking at it, and
things like GrSecurity can be useful. But it also has a _lot_ of (local)
kernel-level vulnerabilities compared to similar pieces of software.

~~~
tptacek
It won't be popular for a variety of reasons, the foremost two being:

1\. It's a very dumb metric, for reasons stated well downthread and for many
others (the bewildering number of off-by-default hardware and kernel features
many of those vulns appear in being another).

2\. The fairly obvious rebuttal that things Linus says on message boards
actually have little to do with the security of Linux, and that the particular
thing Linus said this time has _practically nothing_ to do with the security
of Linux.

With the possible exception of OpenBSD†, nobody clueful picks server platforms
other than Linux with the expectation that it is going to be easier to keep
them secure on the Internet.

† _Reasonable people can disagree about the extent to which OBSD is a win; in
2011, I'd rather have Spengler on my side than Theo._

~~~
JoachimSchipper
It is not a very good proxy for how likely you are to get 0wned. It is
available, though, and I'm not convinced that it's _so_ bad that a 5x (Linux
kernel/FreeBSD) or 9.4x (Linux kernel/OpenBSD) difference still doesn't say
anything.

Linus' words don't affect code quality; but wanting to move quickly does, and
Linux does move quickly. I agree that Spengler is pretty awesome, though.

------
michael_dorfman
Can someone edit the title to add "(2008)"?

~~~
now
Can someone edit the title to read “Linus Torvalds on the ‘OpenBSD crowd … of
masturbating monkeys’ (2008)”?

~~~
now
Ouch. Was it that unfunny?

------
protomyth
"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they
make such a big deal about concentrating on security to the point where they
pretty much admit that nothing else matters to them." - Linus Torvalds

<http://www.openbsd.org/goals.html> \- OpenBSD goals (security is #3).

I still think it was a cheap shot and not representative of the project. Goal
#2 seems to get a lot more play in heat from the OpenBSD project.

~~~
ciupicri
I must say that Linux managed to beat them at goal #1 ("including the ability
to look at CVS tree changes directly") by using git instead of CVS.

~~~
protomyth
I don't think choice of git over CVS really has anything to do with the goal
or history of why it is a goal.

~~~
ciupicri
git is easier to use than CVS and more practical because of its speed and
distributed nature. Add the (controversial) topic branches to the mix and you
have an easy way to contribute the project or make your own custom fork.

Sure if you look just at the source code, I agree that the one for OpenBSD
looks better than the one for Linux.

------
TheBoff
I think perhaps he is slightly over reacting to get his point across. Whilst
security bugs may well be worse than a lock up (due to stolen data etc.), they
aren't the be all and end all of the system. I think he thinks that perhaps
the security people won't pay any attention to his point unless he is very ...
blunt about it.

------
InclinedPlane
Likely scenarios resulting from various system defects:

Non-security defect: system goes down for a while, company loses money,
possibly data, reputation suffers. Companies using sensible redundancy and
backup procedures are able to recover.

Security defect: system is compromised, user data stolen, internal company
secrets stolen, financial data stolen, financial instruments (CC data) stolen.
Massive impact on the company and on the customers, much higher potential for
the destruction of the company due to damage to its brand and its business.

------
josefresco
It's the old academic vs. real world dilema just re-framed around operating
systems. Is it worth securing the OS to the detriment of bug fixes? Will users
be happy with a secure but buggy OS? The answer is always a balance between
the two, but I think Linus is right to knock 'security' off the pedestal as
the most noble of pursuits. Security alone isn't enough.

------
raz0r
Oh, the The Linus Circus is in town again. Good times.

~~~
KonradKlause
Why are you down-voting this?

~~~
KonradKlause
Sorry, this is _exactly_ why HN sucks. Am I not even allowed to criticize you
or ask questions?

~~~
ascendant
All communities have some degree of self policing. Those that allow any
commentary to go by usually end up embroiled in vitriol and snark. HN strives
to keep a specific level of intelligence (to varying degrees of success). As
was stated elsewhere, and I mean no disrespect by this, if the community-
enforced standards of comment quality do not appeal to you, you have the
choices of (A) not commenting, (B) spending more time asking yourself if your
comments will be deemed acceptable by the community or (C) leaving.

I too like to fire off witty, snarky comments. But after a few of them got
torn apart vote-wise, I now spend more time asking myself if I will be adding
anything useful to the discussion. While I try to refuse the allure of
groupthink just so I can get the rush of seeing my karma count move up, I do
attempt to at least find a way to state my opinion in a way that is palatable
and intelligent.

------
udoprog
The week would not be complete w/o a Linus rant.

------
Vivtek
Well, nobody ever said Linus Torvalds kept his opinions a closely held secret.

------
Tharkun
Why exactly is this is on HN? It's not only very old, but it's also just plain
stupid.

------
BasDirks
tl;dr: Linus thinks "the OpenBSD crowd is a bunch of masturbating monkeys"

~~~
nasmorn
It is so sad that Wikipedia doesn't feature IMDB style quotations in its bios.
This one would really make Linus' read less drab.

