Linux's Security Through Obscurity

An anonymous reader writes "The age-old full disclosure debate has been raging again, this time in no other place than at the foundations of the open-source flagship GNU/Linux operating system: within the Linux kernel itself. It beggars belief, but even Linux creator, Linus Torvalds, has advocated against the sort of openness on which Linux has thrived, arguing that security fixes to the kernel should be obscured in changelogs, saying 'If it's not a very public security issue already, I don't want a simple "git log + grep" to help find it.' Unfortunately, it's not kernel exploit writers who need to grep the changelog in order to find kernel vulnerabilities. On the contrary, it's downstream distributors who rely on changelog information in order to decide when to patch the kernels of their distributions, in order to keep their users safe."

Linus does not understand security

[gweihir]

True, his achivements are impressive. But he is not the person to look to when security is concerned. Security by obscurity only hinders the defenders, almost never the attackers. Somebody that has problems finding hints to vulnerabilities in the changelogs, will also have problems writing the exploits. But the defenders need to find _all_ vulnerabilities, nit just one. So their job need to be made as easy as possible. Security people understand that, Linus does not. Not the first time he mouths off about something he has no real clue about.

Personally I would put the security fixes in special places, so they can be found fast. The Black Hats already have them, so lets at least level the playing field to some degree.

Re:The idealistic young become the cynical old.

[gweihir]

He doesn't want them to stand out in any way at all.

Ant tyat is where he does not get it. They have to stand out, clearly and easy to find. Anything else helps the attackers more than the defenders. Linus unfortunately has not a clue about this.