Torvalds Mad at Security Industry

A couple of days ago in the gmane mailing lists Linus Torvalds, the famous creator of Linux went berserk against what he named as "the whole security circus".

Apparently, he's very annoyed by the fame-boost people get each time they find a new security bug. In the same post he also delighted us with some quotes regarding OpenBSD as; "I think the OpenBSD crowd is a bunch of masturbating monkeys" and "...they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them..."

He states that in his view, a security bug is no more important than any other traditional bug and in fact, traditional bug are _WAY_ more important. Here is the link to the original post and here's a copy of the message:
On Tue, 15 Jul 2008, Linus Torvalds wrote:
> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's
> the "look at the source" approach.

Btw, and you may not like this, since you are so focused on security, one
reason I refuse to bother with the whole security circus is that I think
it glorifies - and thus encourages - the wrong behavior.

It makes "heroes" out of security people, as if the people who don't just
fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just because
there's a lot more of them. I don't think some spectacular security hole
should be glorified or cared about as being any more "special" than a
random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I can't
stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in
that they make such a big deal about concentrating on security to the
point where they pretty much admit that nothing else matters to them.

To me, security is important. But it's no less important than everything
*else* that is also important!

Tough words to read from someone who did so much for what we have today.


des said...

Hi infi! Glad to see you continue writing :)

Just a comment: If we don't take into account the not-very-well-educated comments (masturbating monkeys??), I think Torvals has got his point: there is no point in security, if the product is not good enough to satisfy user needs.

infi said...

Hi des! :)

Maybe it's just my innocent point of view but avoiding security in the process is just building something waiting to malfunction, which doesn't fit much in my "good enough" rating. But again...it's just me.

des said...

I'll try another aproximation:

As security practitioners working in a development team, our goal is to have a 100% secure product. It's our job, we have to keep working hard to achieve it. It's not just you, infi, that is my own philosophy, too, and the idea of almost everyone working in this field ;)

However, as we have difficulties trying to educate people in security, we tend to insist that much in the importance of security, that looks like we forget about other's work. We can develop the most secure program of the world, but it will not matter if it doesn't satisfy user needs. That was the idea if my first comment.

As well as this, we have our ego: we like to have credit if we discover a vulnerability, we want to be known and if possible, be called "hackers". Maybe it is this what linus means by saying "masturbating monkeys". In other fields (in my opinion) people do not care that much about recognition. In order to make others listening to us, we should make clear we respect their work, whatever it is.

Maybe linus' words are hard, but they are a good criticism we should take into account.

des said...

An small addition to the second paragraph of my previous comment: if it doesn't satisfy user needs, then our product will not be used... which is other's work goal.

infi said...

Nice point there, that made it clearer, thanks for that. I guess I lack some in field work :-), that's to come in the future. I'll enjoy my little warm bubble for now :D