Linus Torvalds Calls Some Security Experts “Morons” Who “Can’t Be Trusted”

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Linus Torvalds slammed a Google security expert about his approach to cybersecurity after a request to change the Linux kernel, saying that some security professionals are “f*cking morons.” The Linux creator is fed up with the focus on process-killing rather than debugging by experts who believe that “security is so important that nothing else matters.”

If a security person won’t accept “that security problems are primarily just bugs,” then Torvalds doesn’t “want to work” with them. “If you don’t see your job as ‘debugging first,’ I’m simply not interested,” he said. “Stop this idiotic ‘kill on sight, ask questions later,’” he added. “Because it’s wrong.”
 
Not a "security expert" but Linus is point on on this one.

If you ever get too look at source code from pretty much anybody and you actually know how stuff should be coded, you will just about go on a rampage because people write such horrible code.

Poor documentation, horrible formatting, meaningless variable/function/whatever names, uselessly complicated functions that could easily be simplified and do the same exact thing way faster, pointless steps taken, global variables when not needed, debug code left in, etc.
 
As a developer myself, I 100% agree with him on that. At its very root everything is just code, firmware code, kernel code, ui code, client code, whatever. All security flaws are bugs in code. Logically I cant see this being argued any other way. That said, removing code can sometimes increase security, by removing the possibility of bugs.
 
Last edited:
cyclone3d said:
Not a "security expert" but Linus is point on on this one.

If you ever get too look at source code from pretty much anybody and you actually know how stuff should be coded, you will just about go on a rampage because people write such horrible code.

Poor documentation, horrible formatting, meaningless variable/function/whatever names, uselessly complicated functions that could easily be simplified and do the same exact thing way faster, pointless steps taken, global variables when not needed, debug code left in, etc.
Click to expand...


Fucking hell, I've been saying it for years!

"SHITTY PROGRAMMING!!!"
 
Not an expert. However my dad has been programming for years with the state and totally agrees.

He blames poor coding and went on a rant about some programmers actually leaving notes about sealing vulnerabilities and not going back to patch them......
 
Am an expert, Torvalds is so far off base here it's not even funny. He curses a few times and the media runs with it like it's gospel. Sure security exploits are caused by programming bugs. There will always be programming bugs, and the OS should prevent malicious activity. Linux's track record for security is abysmal. I've been running grsec/pax/rbac since their inception. It has no impact on the normal operation of a system when properly configured. The "kernel developers" grasp on security is so poor they try to implement basic security features that have been around for over a decade and can't even do it right.

https://git.kernel.org/pub/scm/linu...g?id=7b3d61cc73a1abe4c2c7eaf00093b338c8b233b0

Brad (of grsec) tweets about all the idiotic things they do quite often. The pax team also.

https://twitter.com/grsecurity

https://twitter.com/paxteam
 
nyt said:
Am an expert, Torvalds is so far off base here it's not even funny. He curses a few times and the media runs with it like it's gospel. Sure security exploits are caused by programming bugs. There will always be programming bugs, and the OS should prevent malicious activity. Linux's track record for security is abysmal. I've been running grsec/pax/rbac since their inception. It has no impact on the normal operation of a system when properly configured. The "kernel developers" grasp on security is so poor they try to implement basic security features that have been around for over a decade and can't even do it right.

https://git.kernel.org/pub/scm/linu...g?id=7b3d61cc73a1abe4c2c7eaf00093b338c8b233b0

Brad (of grsec) tweets about all the idiotic things they do quite often. The pax team also.

https://twitter.com/grsecurity

https://twitter.com/paxteam
Click to expand...

I'll take Linux for security over Windows or MacOS any day of the week.
 
I am struggling to understand what they mean when they say "hardening". Anyone have a definition for the armchair coders out there?
 
It seems like Linus isn't used to working with different groups with different goals. Lets say linus is building a safety feature for cars. Linus believes that if your airbag has a defect and is going to fire shrapnel in your face, your number 1 task is to fix it. The NTSB guy believes that the number 1 task is to remove them until a fixed replacement is available so that the 100 people who crash each day don't get shrapnel in their face but can get back to business right away. They're both correct in their own spheres of influence, but Linus simply doesn't understand how businesses work outside his own development industry and calls the NTSB guy a moron and insists that they just leave things be until the replacement is available which saves time, effort, and complexity of a lateral move then back. In the meantime 10 days pass and 1000 more people get shrapnel in their face. The NTSB guy is probably going to cause a bit more of a headache for the developers while preventing a whole lot more headache for the user base. Linus is only interested in his developers.
 
nyt said:
Am an expert, Torvalds is so far off base here it's not even funny. He curses a few times and the media runs with it like it's gospel. Sure security exploits are caused by programming bugs. There will always be programming bugs, and the OS should prevent malicious activity. Linux's track record for security is abysmal. I've been running grsec/pax/rbac since their inception. It has no impact on the normal operation of a system when properly configured. The "kernel developers" grasp on security is so poor they try to implement basic security features that have been around for over a decade and can't even do it right.

https://git.kernel.org/pub/scm/linu...g?id=7b3d61cc73a1abe4c2c7eaf00093b338c8b233b0

Brad (of grsec) tweets about all the idiotic things they do quite often. The pax team also.

https://twitter.com/grsecurity

https://twitter.com/paxteam
Click to expand...

el-oh-el
 
Simmonz said:
I'll take Linux for security over Windows or MacOS any day of the week.
Click to expand...

Heh I'm honestly not sure why... If you're stuck in 2000 sure Windows was rough around the edges at that time. Microsoft easily hardens their systems as best as anyone in the business. The sticking point is that you actually have to get people to patch the system in order for the vulnerabilities to go away. It doesn't matter what OS it is if no one is actually applying the fixes.


thebufenator said:
Tell me about dirtycow and how many years worth of Linux kernels are/were vulnerable.
Click to expand...

I prefer real world examples. Android phones, Linux soho routers. Millions of devices are out there vulnerable running Linux because they were misconfigured or not patched. Windows is in the same boat. Neither one is better than the other if no one is doing their part in fixing their stuff.
 
He sure is an arrogant fuck, isn't he?

Miikun said:
It seems like Linus isn't used to working with different groups with different goals. Lets say linus is building a safety feature for cars. Linus believes that if your airbag has a defect and is going to fire shrapnel in your face, your number 1 task is to fix it. The NTSB guy believes that the number 1 task is to remove them until a fixed replacement is available so that the 100 people who crash each day don't get shrapnel in their face but can get back to business right away. They're both correct in their own spheres of influence, but Linus simply doesn't understand how businesses work outside his own development industry and calls the NTSB guy a moron and insists that they just leave things be until the replacement is available which saves time, effort, and complexity of a lateral move then back. In the meantime 10 days pass and 1000 more people get shrapnel in their face. The NTSB guy is probably going to cause a bit more of a headache for the developers while preventing a whole lot more headache for the user base. Linus is only interested in his developers.
Click to expand...

Exactly.
 
A bad design with no software bugs can be worse then a good design with bugs. No matter how well written a http module is, it still communicates in the clear. A less well written https module will in many cases be more secure since the data will be encrypted.

Security is more then just the OS kernel.
 
bman212121 said:
I prefer real world examples. Android phones, Linux soho routers. Millions of devices are out there vulnerable running Linux because they were misconfigured or not patched. Windows is in the same boat. Neither one is better than the other if no one is doing their part in fixing their stuff.
Click to expand...


Something like 12 years of vulnerable Linux kernels. It is real world
 
captaindiptoad said:
Fucking hell, I've been saying it for years!

"SHITTY PROGRAMMING!!!"
Click to expand...

While I'm not knowledgeable about security (as that's not my field of focus), I agree, but often the quality of code is in the eye of the beholder. That's why we have programming standards at companies, and often they conflict from one company to another. Tabs vs spaces, indentation style, Hungarian notation, etc. I would say if you work in software development, you'll be lucky to see one or two pieces of quality code in a decade, and this includes top tier companies such as Google.
 
I used to work for a large software company. Some of the code I worked with was 15-20 years old. It was shit! Everyone knew it. When version "next" was announced, it was all about new features and increasing sales. How much time was allocated for fixing old issues? None. When 64 bit systems rolled out, we hacked our code to compile as 64 bit - it did not take advantage of it at all. We also added thread support - but just enough to get a "checkbox" on a marketing brochure.

Sure, if a big issue was discovered (by a client), we'd spot fix it. The fix was usually more of a hack. I know, I wrote some of them. I can't blame the programmers - we literally had 0 time allocated. If you wanted to do anything "right", you had to work lots of overtime (with no extra pay). I worked several 80-90 hour weeks.

I once fixed a memory leak (took me about a week to track down) that caused one of our programs to crash in 3-5 months (depending on how you used the software). I checked the fix in. I got yelled it for an unauthorized code change. It got rejected! The retail version of the software shipped with a known leak because management didn't want to retest anything. Tech support didn't want to create a patch. The reasoning? The client would probably reboot the box before it crashed. This was software that ran on servers...
 
Not a security expert but I do have considerable experience in managing businesses both virtual and real.

Sooo many can't equate the similarity of 'remember me' is the same as leaving a key in the lock. Once the key is there, a cat, a dog, a monkey, can turn it.

Sooo many can't understand how 'keep me logged in' is like leaving the windows open and the doors unlocked.

Sure I can begrudge various OS/firmware/software exploits as bugs but to me the greatest vulnerabilities are still the users.
 
lostin3d said:
Not a security expert but I do have considerable experience in managing businesses both virtual and real.

Sooo many can't equate the similarity of 'remember me' is the same as leaving a key in the lock. Once the key is there, a cat, a dog, a monkey, can turn it.

Sooo many can't understand how 'keep me logged in' is like leaving the windows open and the doors unlocked.

Sure I can begrudge various OS/firmware/software exploits as bugs but to me the greatest vulnerabilities are still the users.
Click to expand...
Yep, usually humans are the weakest link in security.....
 
I think the true answer lies in the middle. I completely agree that security issues are caused by bugs that can and should be fixed. However there will always be bugs, so a focus should be on fixing them but that shouldn't be the only preventative measure.

And yes, users are far and away the biggest security issue, that's a different discussion altogether though.
 
  • Like
Reactions: DocNo
like this
The security people are saying "assuming you will still always have some bug somewhere, what do you do when you hit it?" And yes, terminating a process or halting the system is usually a good choice for a system which is now in an undefined state which is not possible to prove correct.

So yes, the bugs should be fixed. But out in the wild, we probably should not have things which just kinda keep running even though there's been a significant error (malicious or otherwise). Terminating a process in the best case or the system in the worst is actually a very viable and generally correct thing to do.

If it is happening all the time, well, you've got some shit upstream which really needs to get fixed - but don't blame the last line of defense for having a scorched earth policy.
 
Miikun said:
It seems like Linus isn't used to working with different groups with different goals. Lets say linus is building a safety feature for cars. Linus believes that if your airbag has a defect and is going to fire shrapnel in your face, your number 1 task is to fix it. The NTSB guy believes that the number 1 task is to remove them until a fixed replacement is available so that the 100 people who crash each day don't get shrapnel in their face but can get back to business right away. They're both correct in their own spheres of influence, but Linus simply doesn't understand how businesses work outside his own development industry and calls the NTSB guy a moron and insists that they just leave things be until the replacement is available which saves time, effort, and complexity of a lateral move then back. In the meantime 10 days pass and 1000 more people get shrapnel in their face. The NTSB guy is probably going to cause a bit more of a headache for the developers while preventing a whole lot more headache for the user base. Linus is only interested in his developers.
Click to expand...
So far it seems no one is exempt from the occasional shrapnel blowups. With that, is it possible that we get more progress letting people beta test security bugs, rather than waiting until everything is perfect? (Which may never happen).

Merging feature branches that have too much time in isolation always results in plenty of new bugs. And yes the branches are still isolated even when they constantly pull in the latest from the main development branch each day. Somehow QA still finds tons of new bugs after the feature gets merged in regression even if there was extensive testing on both branches when they were separate.
 
Software dev here with a heavy emphasis on security.

Linus is (as usual) 100% on point. Shitty programming by lazy and ignorant developers is why we have such widespread security flaws in the first place.

"Oh, you mean I should bound check this array? But that's sooo much effort!" Suck it up, Buttercup. You're there for your supposed 'technical expertise' - now put up or shut up.

Honestly, SO MUCH of this goes away if we start requiring the same stringent controls for Software Engineering that we do for other Engineering disciplines.
 
Doward said:
Honestly, SO MUCH of this goes away if we start requiring the same stringent controls for Software Engineering that we do for other Engineering disciplines.
Click to expand...

Because everyone calls themselves an "Engineer" now. Largely its just armies of shitty coders with no actual engineering degree, understanding, or knowledge.

SOME places do have more rigor, but most places just don't want to pay for it. They'd much rather pretend they are somehow special and different, and their stuff either doesn't have bugs or they won't be found.

I also am really tired of the term "engineer" being completely bastardized, like you say. Random people writing something they call code really isn't engineering. Extending beyond "app" level of complexity requires actual discipline and knowledge most simply do not possess. We're paying for that across the board in software and especially firmware, everywhere.
 
Typical Linus - message delivery sucks but content is spot on

EDIT: Awesome followup from Linus (indeed the thread on the list is actually quite good). The quote that sums it all up for me:

"Because without users, your program is pointless, and all the
development work you've done over decades is pointless."
 
Last edited:
Miikun said:
It seems like Linus isn't used to working with different groups with different goals. Lets say linus is building a safety feature for cars. Linus believes that if your airbag has a defect and is going to fire shrapnel in your face, your number 1 task is to fix it. The NTSB guy believes that the number 1 task is to remove them until a fixed replacement is available so that the 100 people who crash each day don't get shrapnel in their face but can get back to business right away. They're both correct in their own spheres of influence, but Linus simply doesn't understand how businesses work outside his own development industry and calls the NTSB guy a moron and insists that they just leave things be until the replacement is available which saves time, effort, and complexity of a lateral move then back. In the meantime 10 days pass and 1000 more people get shrapnel in their face. The NTSB guy is probably going to cause a bit more of a headache for the developers while preventing a whole lot more headache for the user base. Linus is only interested in his developers.
Click to expand...

The NTSB approach means a temporarily broken OS for all, linus approach means a temporary problem for a handful. I think his approach is better.
 
DocFaustus said:
I am struggling to understand what they mean when they say "hardening". Anyone have a definition for the armchair coders out there?
Click to expand...
The more features something has, the more vulnerabilities it has to the world.

Like a home with a ton of windows and doors. You can remove the windows and only have one door to "harden" your home from intruders. I go through this with my wife who always asks me to install those security doors on our front and back doors but I explain to her that any burglar is just going to go through the window anyway.
 
You must log in or register to reply here.
Back
Top