He's wrong. Security bugs affect people who might not be using the system at the time, while ordinary bugs only affect the one user.
If a server with credit card information permanently corrupts the filesystem, and bricks all the hardware, and more or less does the worst that a non-security related software failure can do, the server gets reimaged or replaced. It costs maybe a few thousand dollars to replace. Nobody is really affected because failures are expected.
If a server with credit card information has a security bug, then credit card fraud and it's associated costs have to be dealt with, identities might have been stolen, and in general, large numbers of people are affected, possibly severely.
The guy that fixes an unexploited critical remote code execution or privilege escalation bug is no less (and no more) a hero than the guy that unearths a file-system bug silently corrupting data.
So in my opinion he's right: both are equally important, as you cannot judge of the importance of each one on purely speculative and gross domain grounds. A potential is just that: a potential, until it gets real. Both cases can be mitigated or prevented by applying similar strategies (redundancy, layered checks, ...).
On the other side of the spectrum, a good bunch of Intel video cards have been crashing randomly (ranging from seconds to hours) since years and it affects a good deal of people which have to revert to vesafb or fbdev, or dismiss Linux entirely, right now. Another one is the issue introduced at some point that makes kworker eats up a chunk of CPU for no apparent reason (from 10% to 100%), resulting in useless wakeups and processing, raising power use by 1 to 10W. Multiply that by the growing number of Linux systems using 2.6.35+ and you get quite a bunch of watts that should have never been produced by power plants nor paid to energy companies by the machine owners. It happens right now with real, tangible effects.
I'm not dismissing security bugs, but put things into perspective as things are not black or white, and every single bug matters.
Agreed. His broader point about not "glorifying" security researchers is valid, but he goes way too far when he says security bugs aren't more important.
There is no point in telling him he's wrong, either. He'll just call you a "masturbating monkey".
So what you are saying is that security fixes should be highlighted separately from regular bug fixes? That in a release, these security fixes should be highlighted and made clear specifically what security fixes went into place?
This is at the end of the day just so silly. Besides the fact that this is an argument from something like 3 years ago, it's also the case that Linus and the kernel development team just don't have to have anything to do with this process. If you want to pursue secret handshake security for Linux code, set up a project to do that. Projects doing exactly that date back to the mid '90s.
Is this really anything more than yet another opportunity for message board geeks to go "RARRR!"?
So what if he's wrong about that? You don't get a prize for winning that argument; he's still Linus, Linux is still going to be the dominant server platform on the Internet, and he doesn't have to take security any more seriously.
The fact is, despite that one obvious nit with his comment, if you take what he's saying in context, he has a very valid point about how the security community interacts with the Linux development community.
Linus absolutely correct describing this refusal of the monkey's to see anything else beside the matter at hands. The security isn't the main goal of the server development. Successful development of the server is the _goal_ and security is just a necessary piece, among others, in the much bigger picture. Linus understands it and thus he's successfully managed to deliver for 20 years where others, more weak minded and weak willed, have succumbed to the process, security and others monkeys.
Unfortunately, because HN is markedly bigger now than it was in 2008, this story is already over 80 votes and the flags aren't going to do anything. The flag weights need tuning.
This won't be popular, but: Linus' attitude is part of why Linux sucks at security.
Go to e.g. osvdb.org, search for 'Linux kernel': 878 results. Search for 'Solaris', which includes many non-kernel vulnerabilities: 595 results; search for 'freebsd': 171, including e.g. ftpd issues; search for 'OpenBSD': 93, again including stuff like an XSS in OpenBGPD's bgplg (very much not part of the kernel!) This is not merely historical; Full-Disclosure readers get a "vulnerabilities in Linux kernel: 20 issues fixed" every month or so.
Yes, Linux has some really nifty stuff, lots of people are looking at it, and things like GrSecurity can be useful. But it also has a lot of (local) kernel-level vulnerabilities compared to similar pieces of software.
Just because more linux security bugs are found dosn't mean that linux has more security bugs.
I think there are far more linux boxen connected to the internet than solaris and *BSD, so the incentive to search for vulnerabilities should also be greater.
Haha, I spent a bit looking at Net and FreeBSD, but I stopped because no-one really uses it, so what's the point?
To be fair, this stuff happens in BSD land too, but nowhere near as much as on Linux. To be fair again, the Linux codebase is a very different beast and has grown in a very different way.
It won't be popular for a variety of reasons, the foremost two being:
1. It's a very dumb metric, for reasons stated well downthread and for many others (the bewildering number of off-by-default hardware and kernel features many of those vulns appear in being another).
2. The fairly obvious rebuttal that things Linus says on message boards actually have little to do with the security of Linux, and that the particular thing Linus said this time has practically nothing to do with the security of Linux.
With the possible exception of OpenBSD†, nobody clueful picks server platforms other than Linux with the expectation that it is going to be easier to keep them secure on the Internet.
† Reasonable people can disagree about the extent to which OBSD is a win; in 2011, I'd rather have Spengler on my side than Theo.
It is not a very good proxy for how likely you are to get 0wned. It is available, though, and I'm not convinced that it's so bad that a 5x (Linux kernel/FreeBSD) or 9.4x (Linux kernel/OpenBSD) difference still doesn't say anything.
Linus' words don't affect code quality; but wanting to move quickly does, and Linux does move quickly. I agree that Spengler is pretty awesome, though.
"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them." - Linus Torvalds
Linus likes to run his mouth about things he doesn't know, and unfortunately, people listen.
OpenBSD is great because of everyone's obsessive focus on quality. This means fixing bugs (all security exploits are bugs), providing clean interfaces, and keeping garbage out of the system.
Linux development tends to be a lot more "pragmatic," which in practice means trying to hide bugs (http://seclists.org/fulldisclosure/2008/Jul/276), being ok with providing a crapload of weird, incompatible, non-unixy interfaces to do things (compare Linux wireless configuration vs. OpenBSD's ifconfig), including binary blob garbage with the kernel, and relying on bloatware like Gnome.
git is easier to use than CVS and more practical because of its speed and distributed nature. Add the (controversial) topic branches to the mix and you have an easy way to contribute the project or make your own custom fork.
Sure if you look just at the source code, I agree that the one for OpenBSD looks better than the one for Linux.
I think perhaps he is slightly over reacting to get his point across. Whilst security bugs may well be worse than a lock up (due to stolen data etc.), they aren't the be all and end all of the system. I think he thinks that perhaps the security people won't pay any attention to his point unless he is very ... blunt about it.
Likely scenarios resulting from various system defects:
Non-security defect: system goes down for a while, company loses money, possibly data, reputation suffers. Companies using sensible redundancy and backup procedures are able to recover.
Security defect: system is compromised, user data stolen, internal company secrets stolen, financial data stolen, financial instruments (CC data) stolen. Massive impact on the company and on the customers, much higher potential for the destruction of the company due to damage to its brand and its business.
It's the old academic vs. real world dilema just re-framed around operating systems. Is it worth securing the OS to the detriment of bug fixes? Will users be happy with a secure but buggy OS? The answer is always a balance between the two, but I think Linus is right to knock 'security' off the pedestal as the most noble of pursuits. Security alone isn't enough.
"That is an idiotic thing to say; 1 + 1 is 2, not 3"
can be shortened to "1 + 1 is 2, not 3."
Parent comment can be shortened to "".
Please avoid introducing classic flamewar topics unless
you have something genuinely new to say about them.
Resist complaining about being downmodded. It never
does any good, and it makes boring reading.
And which rule is "Oh, the The Linus Circus is in town again. Good times." violating?
It's a funny statement. I like it. I cannot see any flamewar topic in it...
But this question in particular is discouraged. Follow HN for any length of time and you see the answer. If you want a meta-thread about posting, create one. But this thread is (was) about security.
All communities have some degree of self policing. Those that allow any commentary to go by usually end up embroiled in vitriol and snark. HN strives to keep a specific level of intelligence (to varying degrees of success). As was stated elsewhere, and I mean no disrespect by this, if the community-enforced standards of comment quality do not appeal to you, you have the choices of (A) not commenting, (B) spending more time asking yourself if your comments will be deemed acceptable by the community or (C) leaving.
I too like to fire off witty, snarky comments. But after a few of them got torn apart vote-wise, I now spend more time asking myself if I will be adding anything useful to the discussion. While I try to refuse the allure of groupthink just so I can get the rush of seeing my karma count move up, I do attempt to at least find a way to state my opinion in a way that is palatable and intelligent.
If a server with credit card information permanently corrupts the filesystem, and bricks all the hardware, and more or less does the worst that a non-security related software failure can do, the server gets reimaged or replaced. It costs maybe a few thousand dollars to replace. Nobody is really affected because failures are expected.
If a server with credit card information has a security bug, then credit card fraud and it's associated costs have to be dealt with, identities might have been stolen, and in general, large numbers of people are affected, possibly severely.