Darwin's Theories Blog

New Theories for a New Time

Linus Just Doesn't Get It

... and it shows
Linux founder Linus Torvalds makes an amazing claim about Linux security (or not) on gmane.kernel.org (I'm not even gonna help pagerank that article by linking to it; search the newsgroup name and the date 2008-07-08). Speaking about security fixes, he says:
... It makes "heroes" out of security people, as if the people who [just]
fix normal bugs aren't as important.
In fact, all the boring normal bugs are _way_ more important, just
because there's a lot more of them. I don't think some spectacular
security hole should be glorified or cared about as being any
more "special" than a random spectacular crash due to bad locking.
Security people are often the black-and-white kind of people that I
can't stand. I think the OpenBSD crowd is a bunch of masturbating
monkeys, in that they make such a big deal about concentrating
on security to the point where they pretty much admit that nothing
else matters to them.
Normal bugs are "way more important" than security to Linus, the guy in charge of Linux? I'm sure gonna think twice before running Linux on anything connected to the Internet. If he'd actually read the OpenBSD security policy document, or any of our presentations at conferences over the years, rather than just calling silly names, he'd know that OpenBSD works on ordinary bugs as a way of preventing security bugs. But I guess it's easier to sit at home pulling on your tool chain and calling people names, than to actually acquaint yourself with the facts. Well done, Linus. Next time I won't even bother recommending Linux as a second choice after OpenBSD.

P.S. As if to prove the point, the next day, security mailing lists were full of this:
Wei Wang discovered that the ASN.1 decoding routines in CIFS and
SNMP NAT did not correctly handle certain length values. Remote
attackers could exploit this to execute arbitrary code or crash
the system. (CVE-2008-1673)
So they have CIFS and SNMP in the Linux kernel, and they haven't checked for overflows? 'Nuff said!

P.P.S: Apparently not enough said! It seems that the esteemed Mr. Torvalds is also implicated in a massive coverup of security bugs (aka attempted "security through obscurity").