Linus's Thoughts on Linux Security

Rick Zeman writes: The Washington Post has a lengthy article on Linus Torvalds and his thoughts on Linux security. Quoting: "...while Linux is fast, flexible and free, a growing chorus of critics warn that it has security weaknesses that could be fixed but haven't been. Worse, as Internet security has surged as a subject of international concern, Torvalds has engaged in an occasionally profane standoff with experts on the subject. ...

His broader message was this: Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs. This is a process, Torvalds suggested, poorly understood by his critics. 'The people who care most about this stuff are completely crazy. They are very black and white,' he said ... 'Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about.'"

Of course, contradictory points of view are presented, too: "While I don't think that the Linux kernel has a terrible track record, it's certainly much worse than a lot of people would like it to be," said Matthew Garrett, principal security engineer for CoreOS, a San Francisco company that produces an operating system based on Linux. At a time when research into protecting software has grown increasingly sophisticated, Garrett said, "very little of that research has been incorporated into Linux."

Nailed it

'The people who care most about this stuff are completely crazy. They are very black and white,' he said ... 'Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about.'"

This nails it entirely on the head, and is why a lot of security and privacy nutters gain so little traction when dealing with the masses. Security and privacy are important, but they need to be balanced pragmatically with what people actually want to do with the system.

Re:Nailed it

[postbigbang]

No.

It's the very height of arrogance to not consider safety. Security isn't about paranoia, it's about bad guys, and there are a huge number of them, using coder stupidity and this sort of arrogance to rob people of real money, or ransom systems.

It's an enormous failure of engineers that don't put safety first while trying to be faster, cooler, or wittier than the next engineer. You can call it artistic creation, egalitarianism, but without the concern for the safety of others, it's boorish, arrogant, and rife for misdeed.

Re:Nailed it

Although for those who don't agree... we have recently introduced a follow-up to the immensely popular AdBlocker line of software. This new product, currently in test markets, actually allows the user to block ALL interpersonal communication and isolate oneself in a virtual cocoon of total information security (which, incidentally, means you will be placed in a sensory deprivation chamber and all of your thoughts will be systematically cancelled as they arise by an off-grid hamster-powered magnetic field emitter, leading to the total elimination of all thought and consequently any ideas which might be deemed "unsafe"!)

Coming soon to markets near you!

Re:Nailed it

[MyFirstNameIsPaul]

I sometimes wonder what the world would look like if developers were financially liable for software security failures.

Re:Nailed it

[Junta]

The problem is that invoking the word 'security' by itself can be speaking to reasonable application of good practices to pretty insane stuff.

This is a problem that continues to plague the industry, where you have 'developers' who are forgiven for not understanding security practices and try to work around that by adding a 'security' team who do not understand the actual functional goals or a lot of reality of how things are used. Both sides are at fault, but the developers producing the actual requested functionality get benefit of the doubt in perception in wider area.

Re:Nailed it

Software, the little that would be created, would cost 10,000x what it currently does.

And OSS would evaporate over night.

Re:Nailed it

Let's put the inmates in control of the asylum while we're at it.

Re:Nailed it

[oh_my_080980980]

Given most security exploits are through the user and not the kernel, Linus is right. Christ Microsoft can't harden their OS and you want to complain about Linux. Nothing to see her. Slow news day.

Re:Nailed it

[silentcoder]

On the other hand - the most secure you can make a computer is to pull out the power cord and dump it in a smelter.

Unfortunately trade-offs do have to be made because generally all that security is absolutely *useless* if you cannot subsequently actually USE the thing for it's intended purpose.

Re:Nailed it

[__aaclcg7560]

Christ Microsoft

When did Microsoft become Lord and Savior? That's a whole different realm of monopoly power.

Re:Nailed it

[postbigbang]

It's not about Microsoft. It's about Lucky Linus not getting the message, being arrogant, and permeating a culture where loose-and-fast is better than thinking of security risks.

Re:Nailed it

[naris]

The most effective security tool is a sledgehammer. If one is sufficiently applied vigorously to any computer, the result will be a completely secure system that is totally impervious to all hacks!

Re:Nailed it

[postbigbang]

If you're a real hacker, you should be immune to this kind of binary thinking. People hack stuff, and look at the damage now done given criminal motives. Nothing is foolproof, but security is a culture, a mindset. It's nice to make something nice and artistic, but if it melts like an ice sculpture, what's left?

Re:Nailed it

[Alumoi]

You have a typo there. You wrote computer when you meant user, right? Applied vigorously to any user

Re:Nailed it

[vtcodger]

Ahem ... I think maybe you don't fully understand, It's not that kernel security is entirely unimportant. It's that the idea that you can or should fix imaginary security problems in the kernel seems kind of ditzy. It's sort of like protecting New York City from terrorists by hiring more police and assigning them to florist shops. Yes, that would presumably discourage terrorist floral attacks. But since when are those a known or potential problem?

If you want to secure computing, then reduce attack surfaces dramatically. Don't hook everything in sight up to the same internet. Cut way back on the number of protocols in use. Lose idiocy like Javascript. Fix eccentric cookie behavior, etc, etc, etc.

If, after doing that, it turns out there are exploitable holes in the kernel -- say a flaw that allows a carefully crafted IP packet to make arbitrary changes to the system or a way for the janitor to inject a privileged process from a USB stick into people's desktop PC startup while he/she is emptying the wastebaskets -- I doubt there will be any resistance from Torvalds or anyone else to fixing them.

Re:Nailed it

[silentcoder]

With roughly 5000 gods worshipped on earth currently - it's not much of a monopoly though the christ one does seem to have the largest market share. If Microsoft was able to acquire that though - then I am not sure what still separates it from the Satan one ?

Re:Nailed it

[silentcoder]

There was no "binary" thinking there - on the contrary the very idea of "trade-offs" suggests thinking on a sliding scale.
"This security patch we should add because it gives a high degree of coverage with little negative impact" but "that one we should skip because it gives only a small bit more while hugely impacting performance" and "this one over here we should never contemplate regardless of it's coverage because it seriously breaks user-space".

Re:Nailed it

[Etcetera]

I sometimes wonder what the world would look like if developers were financially liable for software security failures.

It'd look like the cost analysis of the current US healthcare industry. The fear of a malpractice lawsuit is rampant, which leads to ass-covering every which way imaginable, and fees and insurance costs that match.

I'm not saying malpractice lawsuits are bad, but that level of scrutiny is what we're all paying for out of our pockets.

Re:Nailed it

[postbigbang]

I'm fully aware of kernel functionality. "Imaginary" security problems become discovered often. Linux is not just the kernel, it's also all of the apps depending on kernel functionality. Yes, it's FOSS and the kernel is freaking huge, a life's work of astounding achievement.

Your pragmatist's instructions are great. This said, allowing a carefully crafted packet to push a process into an overflow that permits privileged code execution is a hideous failure. Suddenly, a machine is cracked like an egg, and rife for code injection that renders whatever real assets in use for ripoff.

Yes, things get fixed. Fewer things get fixed when code is well thought-through as a matter of innate discipline as a function of a culture of being inherently security-mindful. Such statements by Torvalds say: loose and fast is ok. We're engineers and have more meaningful things to do as our goals. Therein lies my problem with it.

Re:Nailed it

[drinkypoo]

It's the very height of arrogance to not consider safety.

When a distribution comes out that actually makes decent use of selinux, then Linus can be asked to do more about security. As it is, most distributions are ignoring or at best underutilizing most of the security functionality built into the kernel. Even for apparmor there's typically only a handful of profiles, and they're only really being used to try to band-aid known-insecure applications.

Re:Nailed it

That is like blaming the builder when a homeowner is robbed. You can take some precautions. But you cannot deny a determined criminal with anything other than the law, or a lethal booby trap (which I support, but the law does not).

Re:Nailed it

[MyFirstNameIsPaul]

Why pick only one industry that is notoriously bad and claim that is what would happen? What about the carpentry industry? Why don't couch-makers suffer the same issues? Why wouldn't software developers be similar?

Re:Nailed it

He gets the message but he doesn't agree with your core ideals, there is a big difference.
Also, you accused aussersterne of putting words in Linus mouth, but here you are not only doing the same but also in an arrogant and insulting fashion.
Double irony does not cancel itself out.

I think Linus point is very clear. Security has no value by itself. It is nice, but it should never get in the way of getting the job done.
This is very similar to the reasoning that is used when considering life critical application.
Safety is nice, but if it gets in the way of getting the job done the user will disable it. Therefore safety has to be added in a way that doesn't inconvenience the user.
Luckily the kernel is open sourced so if you think that you can make a more secure kernel without hurting its functionality then you can go ahead. You certainly seem to think that you know better than others and there clearly is big money in doing so.

Re:Nailed it

[postbigbang]

Underscoring your reply was a theme of trade-offs. Some people want to live a life with minimal patches, because the code was right to begin with, and withstood barrages of overflow/etc attempts because the code was well-designed, and used as one of the pragmas for its underlying theme: security.

Coders aren't getting message that security comes first. Sure, take an idea and make it into code. And if you're going to distribute that code, prevent others from coming to harm. This is the theme, this is the culture that's missing in Torvald's quote.

Re:Nailed it

[Stuarticus]

This Linux sounds dangerous with all the fast and loose security risks, I'm glad I stuck with XP.

Re:Nailed it

[DrXym]

Considering security and putting it above all else are two different things.

The Linux kernel has quite strong security but if every single thing that went into the kernel had to justify its security first and foremost then development would slow to a crawl. If you want to see the kind of impact that might have then look at something like OpenBSD.

Re: Nailed it

Lack of the Apple logo.

Re:Nailed it

[Junta]

that doesn't inconvenience the user.

That's the real key take away, and the point people like to talk past. It's like a full harness versus a seat belt. A full harness would be objectively safer if used, but fewer people are going to go to the hassle of connecting up a full harness every time they drive and so the seatbelt from a practical standpoint is the better choice to offer to customers of the automotive industry.

Re:Nailed it

[Junta]

Depends on your definition of 'decent'.

Distributions that have made strict use of SELinux to tightly lock things down may be 'decent' to security folks, but terrible to use, causing people to just turn it off.

Distributions that have piled tons of permissive policies to make some moderately useful environment get derided by security folks as being too lax, though they at least get to enforce the restrictions they designed.

It's impossible to make both people trying to get their work done and hard core security guys happy...

Re:Nailed it

Function comes first. Secure code that doesn't work is useless. Code that does work without any consideration for security may become useless, but may work just fine for decades. Or it may be secure as is.

Next comes usability. Software no one will use is very secure, but useless. Software that can be used but hasn't had any consideration for security is a security risk, but may work fine for decades. Or it may be secure as is.

Software should be used to do something. This is the primary concern. "Security first" is religious drivel.

Re: Nailed it

'Christ' just means 'messiah'.

There have been many people who claim to have been a Christ. And many no doubt more to come.

Jesus was just a popular one.

Re:Nailed it

With roughly 5000 gods worshipped on earth currently - it's not much of a monopoly though the christ one does seem to have the largest market share. If Microsoft was able to acquire that though - then I am not sure what still separates it from the Satan one ?

Satan is open and honest about his EULA. It's all right there in print. There's no hidden bugs or gotchas.

Re:Nailed it

[fahrbot-bot]

'The people who care most about this stuff are completely crazy. They are very black and white,' he said ... 'Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about.'"

This nails it entirely on the head, and is why a lot of security and privacy nutters gain so little traction when dealing with the masses. Security and privacy are important, but they need to be balanced pragmatically with what people actually want to do with the system.

Agreed. My experience with computer security people is that they're only happy with a system's security if the machine is still in the box -- and a few are still a little twitchy about that. Unfortunately, the system is fairly unusable in that state - but the security people are fine with that.

Re:Nailed it

I'm fully aware of kernel functionality. "Imaginary" security problems become discovered often. Linux is not just the kernel, it's also all of the apps depending on kernel functionality. Yes, it's FOSS and the kernel is freaking huge, a life's work of astounding achievement.

Not as far as Linus is concerned... Linux is the kernel, and nothing but.

Re:Nailed it

When a distribution comes out that actually makes decent use of selinux

Or you can just use FreeBSD jails and avoid that clusterfuck altogether.

Re:Nailed it

[gweihir]

As a security expert, I fully agree. Security is something that you need to think about from the beginning, but you only ever need enough that your residual risks are acceptable.

These "critics" often do not get how to do professional risk management (Linus does) and, quite often, I get the impression they do not have any significant coding experience, as they seem to think the changes they would like are easy to implement. I run into these black vs. white people in security quite frequently. These are the amateurs that do not understand that actually building things that work is already very, very hard and if you keep changing things all the time you just end with a dysfunctional, insecure mess. Also, you want a stable product, you incorporate research results only after they have been tested out in practice for a few years and only if they bring you a significant gain.

The Linux kernel has an excellent security track record in its core. Some drivers are not that good, but that is why if you need high security, you only compile those that you really need.

Re:Nailed it

[gweihir]

Aaaaaand fail. This discussion is about security, not safety. These are two entirely different things.

Re:Nailed it

[suutar]

because a problem with a couch is much less likely to be either dangerous to life/limb or expensive to business processes, is my guess. All the cases where software security (heck, IT security) is getting significant press are cases where it's potentially lethal (medical stuff, cars) or expensive (in money or some other prized commodity, like privacy... but mostly money)

Re:Nailed it

'The people who care most about this stuff are completely crazy. They are very black and white,' he said ... 'Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about.'"

This nails it entirely on the head, and is why a lot of security and privacy nutters gain so little traction when dealing with the masses. Security and privacy are important, but they need to be balanced pragmatically with what people actually want to do with the system.

I would argue that this is exactly the reason for so much "security theatre" in our lives. Real security is generally ignored, but I've worked for so many places that has a guy who read a book on security once so we're constantly bombarded with questions about cross-site scripting and SQL injection despite using frameworks that prohibit those things.

I just don't believe that there are many real security professionals.

Re:Nailed it

[spire3661]

Fuck you, seriously. Safety is not the first concern of computing. Further, that is the responsibility of the USER.

Re: Nailed it

I'm sorry pal but the sad truth is that when you realize that you need a more secure system is already too late. So long and thanks for all the fish.

Re:Nailed it

[david_thornley]

Most coders are coding for somebody else. I write code for my company, and my company pays me. I get told what to do by my manager, and the programming culture is enforced by code review.

In other words, whether or not I get that message does not depend on me. I've worked at a place that practiced security by obscurity, and nothing more. I tried arguing against that once, and was told not to worry about it.

Trying to get that message to developers like us isn't all that useful. Trying to get it to top management is going to fail, because security does not come first. I know how to make a computer secure with thermite, concrete, and a trip to a deep part of the ocean, but that's not really useful.

Re:Nailed it

[delcielo]

You're absolutely correct. At some point, you have to accept a certain level of risk. It reminds me of a quote from Adm. Nelson

"A ship at port is a safe ship; but that is not what sailing ships are for."

Re:Nailed it

SELinux isn't that complicated. It's just requires a different way of thinking compared to traditional Unix permissions. I used to see it as an annoyance, but took the time to see what the audit messages really meant, and have grown to quite like it. It's very flexible, but can allow you to lock a system down to a handful of predefined actions, if that's what you want to do.

Re:Nailed it

[david_thornley]

There'd a whole lot less software. There would be almost no open source software. Software development would be crawling. Computers would be locked down like you wouldn't believe; Apple's App Store is relatively permissive.

Do you realize what's involved in avoiding security failures entirely? The software is going to be used in all sorts of environments, probably for purposes it wasn't intended for, and will be subject to attack by an unknown number of crackers of unknown competence and ingenuity for an unknown number of years.

Did you ever by deck stain and read the instructions? The manufacturer doesn't know what your deck is like, so there's an instruction to apply a very little to an inconspicuous spot on your deck first. The situation for software is not that simple, since you can't tell security as a user. The software you buy will be certified to be secure in a strictly controlled computing environment, and it will have to verify that every time it runs. In any case where the software might have some interaction with other software, it would have to check that that software was not installed every time it ran. You're likely to have to own one computer for every major application you want to run.

The software would have to be proven to be secure. That sort of thing has been researched, and it is possible to write code that can be proven to match the spec. Therefore, it will be necessary for the spec to cover all possible attack vectors and prove they're impossible. Have fun.

Suppose you are selling high-security bicycle locks, and it turns out that anyone can open any of them with a Bic pen, much like the Kryptonite locks when I was much younger. I believe they disclaimed liability, but if they hadn't they'd have been on the hook for a number of stolen bikes. Software will be in a similar situation. One crack and everyone will quickly find out how to do it, and so liability is likely to go from zero to catastrophic before the vendor can do anything.

Re:Nailed it

[carnivore302]

I'd like to point out that linux became a lot less secure because of systemd

Re:Nailed it

[sjames]

Because nobody ever has suggested it's the couch maker's fault if someone breaks in to their house and takes the couch.

Re:Nailed it

Nope. You ENTIRELY missed Linus' point. The security/quality you are talking about is EXACTLY what Linus promotes, e.g. that 'quality comes first above all else' not 'security comes first above all else' since the latter will impose complexity, constraints & potentially even breaking 'user space' (e.g. less 'quality').

Besides which, due to the nature of Linux there is 0 stopping ANYONE from grabbing the Linux code & modifying it to their liking to 'make it more secure' or to design a kernel with their specific priorities in place and then releasing that.

This concept in the article that Linux 'security' is broken because Linus is a 'dick' is just stupid to an extreme. Linus manages the development of a kernel that many hundreds of thousands of companies & even more people find useful, IF they want to modify it to make it even more useful for their specific use case than go right ahead and do so. As Linus noted, if you are going to use Linux for running a Nuclear power plant than don't put that plant on a network attached to the Internet! Or put another way as his point was just 1 way to phrase it, "use the proper tool for the job you want to do with all you're use cases in mind", if you're use case is to put your Power Plant on the internet so you can do remote 'command and control' or something stupid like that, than you had better go through all you're code in depth & make it as secure as you need it to, don't go crying to Linus that the kernel isn't 'secure enough' for you're use case.

Ultimately Linus has made it very clear as to his top design principle...eg. 'quality' and "Don't break user space", if a 'security researcher' has some bug up his ass as to wanting the Kernel to be more secure than I'm sure Linus will accept any submission that addresses that concern provided it meets these basic design principles. Does that mean it's likely not going to be quite as secure as some of the 'security researchers' in the article would like? YUP! guaranteed but than again that gives them an opportunity to build a business around those 'holes' they believe exist...if there is a market for such a thing I'm sure they'll make tonnes of money servicing that market. To that extent that's why Linus clearly gets so upset, this isn't at all hard to fathom & so he goes off the deep end when people continually expect him to change his ways & modify everything to suit their specific needs potentially causing major issues for everyone else, it's not going to happen so quit asking him.

Re:Nailed it

Then you are ENTIRELY missing Linus' points or observing his extensive & legendary blow ups. There is no 'fast & loose' at ALL, he wants quality as the 'bar 1' design principle & will reject anything going against that principle (that's basically what he means when he says "don't break user space"). Are there bugs in Linux? Yup no doubt (as Linus admits) as there are bugs in EVERY piece of software/kernel and some of those bugs can be exploited to own a system, that's bad & when their found they are fixed quickly.

If someone came to him & said 'look, as a matter of design choice there is this huge security hole that can be exploited at will regardless if there were 0 bugs' I am damn sure he'd have the kernel redesigned to address it. But that is not what the debate is about here at all. The debate is about people ('security crazies' as he calls them) asking him to entirely redesign the kernel & his point of view on development of it to an extent that it would break user space (functionality & quality) to guard against exploits that could happen due to bugs (e.g. 'manufacturing faults').

Re:Nailed it

No.

It's an even higher degree of arrogance to insist that safety be the first consideration. We're talking about an operating system, not a bridge or an antibiotic. While we want our systems to be safe and secure, there's nothing as useless as a system that's so secure that no one can get to it to use it. The person who said "Security and privacy are important, but they need to be balanced pragmatically with what people actually want to do with the system." did indeed nail it.

Security is a TOOL, not an end unto itself. And security folks do make themselves sound like nutters when they talk down, way down, to everyone and say things like "we're here to stop the Bad Guys".

Re:Nailed it

[drinkypoo]

Distributions that have made strict use of SELinux to tightly lock things down may be 'decent' to security folks, but terrible to use, causing people to just turn it off.

It seems like after all these years, someone would make a serious attempt at a tool to automatically develop a profile...

Re: Nailed it

[KGIII]

I found Jesus. I've since lost the picture but it's surely online somewhere as I know I uploaded it. I know it was Jesus because that's what it said on his license plate. It was a blue Chevy, a bit old, in Kutztown, PA. It's a college town so he was probably there picking up chicks.

Re:Nailed it

[KGIII]

Err... Microsoft may not be a very good example. In the core OS, call it the kernel, there are few exploits or vulnerabilities as of late. At least not being disclosed and it's really quite a feat. I don't use their products but I am rather impressed with their security improvements.

Re:Nailed it

[Electricity+Likes+Me]

The problem with hard core security guys is that security is there job and they wind up being unable to imagine that it's not actually the job description of other people.

Re:Nailed it

[SwashbucklingCowboy]

If you don't have security then you can't know that the system is doing what you want...

Re:Nailed it

[gweihir]

Nice quote!

Re:Nailed it

If you swap the right words out, this sounds like most politicians talking about terrorism post 9/11.

Which security company are you shilling for anyway?

Re:Nailed it

If you put security first how did you manage to make that post?

In order to post your message you are using an OS that has security flaws, a browser with security flaws and have both connected to a network with others ready and able to exploit some of these flaws. Certainly your need for security ( which would require your computer to be disconnected from any network ) is second to your apparent need to share your opinion on the subject.

Re:Nailed it

allows a carefully crafted IP packet to make arbitrary changes to the system

This would be a serious bug in the network stack and would result in Linus yelling at everyone involved.

way for the janitor to inject a privileged process from a USB stick into people's desktop PC startup

The janitor can reboot a computer with an arbitrary USB stick, and this has nothing to do with Linux. If you're concerned about this type of attack, disable boot from USB and password protect the BIOS settings.

Re:Nailed it

the problem is, it's easy to say that an MP3 player should have read access to these files, access to the audio out device, permission to display a window, and maybe also permission to make notifications.

But what should the web browser be allowed to do? Especially when it's your email app, and music player, and video player, and text editor, and needs to JIT reams of javascript downloaded from the Internet.

Should it be allowed to do everything by default? Or should it have a prompt every time it tries to do anything interesting?

As soon as the security people figure out how to set permissions on a web browser, people will accept the new security feature.

Re:Nailed it

You missed the point numbnuts.

You could make the Linux kernel 100% secure, but then it would be entirely unusable.

There is a balance between security and usability.

Even the highest security buildings are not 100% secure, because they need to conduct business.

Re:Nailed it

SELinux only protects against a subset of security problems. Even with SELinux enabled a slew of other vulnerabilities can still root the system. Security needs to be a mindset for all software developers, not just kernel MAC developers.

Re:Nailed it

Don't compile USB drivers into the kernel.

Problem solved

Re: Nailed it

[Dog-Cow]

"Christ" means anointed. In Jewish (and thus Christian) tradition, the Messiah will (or was) an anointed leader/king. But "christ" does not mean messiah.

Re:Nailed it

because a problem with a couch is much less likely to be either dangerous to life/limb (...)

Wrong. A bad couch can cripple you over time, or give a trombo that could kill you in hours.

Re:Nailed it

In other words, they want to live a pipe dream...

Re:Nailed it

No.

It's the very height of arrogance to not consider safety.

You are trolling. Linus considers safety, and said as much. He just considers security bugs as he does every other bug and doesn't accept security related changes that will impose a significant negative performance impact on the kernel or change the functionality of the user space.

Re:Nailed it

[postbigbang]

No, this is a fundamental and profound difference: safety comes first, not as a feature, It's an immature view not to consider safety as fundamental.

Re:Nailed it

Cookies, being a text file, has no behavior

Re:Nailed it

When was the last time a bug was found in Tex?

PeaNUTS!

Coming this Christmas!

Security as a trade-off

[QuietLagoon]

Linus Torvalds: ...Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs....

Fortunately, there are open source operating systems available where security is less of a trade-off and more of a priority, such as OpenBSD, where the developers maintain a laser focus on security.

Re:Security as a trade-off

[Shinobi]

On the other hand, OpenBSD is perfect proof that Linus is right: The trade-off is that for the increased security, you suffer in terms of the computer being useful for other things. It's useless for anyone wanting to do 3D modelling and animation for example, or working with video editing.

Re:Security as a trade-off

[ArchieBunker]

What are you even talking about? How is OpenBSD useless for 3d modelling and animation? If the software is available for Linux it should compile on OpenBSD. Oh and there is virtually no video editing software for Linux. What is around is buggy and still in alpha stages in terms of what Adobe pushes.

Re:Security as a trade-off

[LichtSpektren]

Exactly this. Windows is insecure as fuck, but people use it because their software runs on it. OpenBSD is probably unbreachable but it's terribly useless as anything but a firewall; to use it as a general OS, you have to turn a lot of its security precautions off. Linux (and by that I mean "GNU/Linux" e.g. RHEL, SUSE, Debian; not Android) gives us a healthy balance between usefulness and security. That's why almost every webserver runs Linux.

Re:Security as a trade-off

That is not the idea behind OpenBSD. If you use only the packages available and tested on OpenBSD, the people of OpenBSD guarantee you that they have done everything in their power to make those packages as secure as possible. Note that they don't guarantee there are no security issues at all. But at least they are very open when problems occur and immediately start working on fixing any security issues.

OpenBSD is not meant to be used as a 'normal' consumer OS where you just install whatever software you need, and compile it from source when it is not made available by the OpenBSD people. The OpenBSD people will not guarantee any thing when you compile and install your own packages. In fact an OpenBSD installation with customer compiled packages will probably be less secure than a full blown BSD/Linux distribution that offers all those 3D modeling and animation packages out of their own repositories. The rate of detecting security issues when thousands of users install and check these packages is a lot higher than just you who compiles and installs random software.

OpenBSD is probably the most secure OS available, as long as you use only the packages that are made available. I've used OpenBSD as an internet firewall/router, a basic webserver and a DNS server. I would not suggest using OpenBSD for a desktop with advanced software because installing custom compiled software on an OpenBSD will no longer make it the most secure OS and there are better solutions: other operating systems that offer the specialized software out of the box.

Re:Security as a trade-off

[Shinobi]

What I'm talking about is the fact that due to the focus on security, other things have been set aside, such that working with the things I mentioned in an interactive fashion is a sluggish and annoying proposition, especially as your scenes grow more and more complex. So what if the program compiles under OpenBSD? If it doesn't work in a satisfactory manner, then there is a problem. On my i5 2500 with 8GiB RAM, Blender running on top of OpenBSD feels as sluggish and clumsy as Blender under Linux back on my single-core Athlon 64 with 2GiB RAM

Re:Security as a trade-off

[unixisc]

That's one thing I wondered. If Matthew Garrett thinks that Linux has its shortcomings, why doesn't he base CoreOS off OpenBSD, instead of Linux?

Re:Security as a trade-off

Because he'd like some people to use his products.

Re:Security as a trade-off

[QuietLagoon]

...OpenBSD is probably unbreachable but it's terribly useless as anything but a firewall; to use it as a general OS, you have to turn a lot of its security precautions off....

OpenBSD's security is not some superficial thing, it goes deep into the OS You don't just "turn it off", indeed some aspects of it cannot be turned off because some aspects of the security are the coding conventions used.

.
To your comment about OpenBSD being useless for anything but a firewall, I've used OpenBSD on my notebook and it fits the job quite well.

Re:Security as a trade-off

[AC-x]

OpenBSD is probably unbreachable but it's terribly useless as anything but a firewall; to use it as a general OS, you have to turn a lot of its security precautions off. Linux (and by that I mean "GNU/Linux" e.g. RHEL, SUSE, Debian; not Android) gives us a healthy balance between usefulness and security. That's why almost every webserver runs Linux.

So OpenBSD makes a poor "general" (workstation?) OS, which is why "almost every webserver runs Linux"? Huh? Something being used for running as a server doesn't (and probably shouldn't) have to run well as a general OS.

Sure really tight system security probably would make a desktop OS more difficult to use, but the same doesn't apply to servers where security is more important.

Re:Security as a trade-off

I think it is wrong to assume that there will be one OS for all applications. BSD has some very good security features (e.g. root can not change memory). But we may not need to have a highly secure OS for video editing (especially if that workstation is not on the internet).

One does not use a VW Bug in a Formula 1 race.

Re:Security as a trade-off

[fizzer06]

Have you seen the CoreOS webpage? It seems a mess to me.

Re:Security as a trade-off

[LichtSpektren]

OK, I want to apologize for saying OpenBSD is "terribly useless". That was a wild exaggeration and very clearly wrong. I also in no way meant to demean the efforts of the OpenBSD developers.

That being said, if you're just talking about the kernel and core apps of OpenBSD, maybe they are indeed more secure than Debian or RHEL. But then again, Debian and RHEL are secure *enough* that you never hear about major breaches to them. But once you start talking about non-core software (e.g. webserver utilities), OpenBSD's had the same historic vulnerabilities as Linux as had with OpenSSL and the like--but so much more is available in the Linux ecosystem. Sure, you can compile whatever you want in BSD, but do the BSDs have as much extended support as Debian does?

Re:Security as a trade-off

OpenBSD is probably unbreachable but it's terribly useless as anything but a firewall; to use it as a general OS, you have to turn a lot of its security precautions off.

What in the world are you talking about? I run OpenBSD as my general purpose OS of choice on two laptops and one desktop computer, and of course on my router. I have no idea what these "security precautions" are that you say I have to turn off to make it useable. These features are an integral part of the OS and not something you choose to enable or disable. If it breaks third party software, they don't simply add a knob to disable it, they fix the damn software. Get your facts straight, please.

Re:Security as a trade-off

[Noryungi]

OpenBSD is probably unbreachable but it's terribly useless as anything but a firewall; to use it as a general OS, you have to turn a lot of its security precautions off.

Which why I have been using OpenBSD on my laptops for... Let's see... About 10 years now?

I'll grant you this: I don't do video editing or 3D modeling (I am, after all, a system administrator) but OpenBSD has proved perfect to surf the net, send emails, edit complex documentation (using OpenOffice or LyX), do some serious programming, edit images (Gimp and Dia), listen to music, watch videos and even play a game or two. As well as the usual SSH and Ansible into dozens of servers. And, yes, VNC and RDP are both available, so that includes Windows servers.

And all this without changing a single things to the default security settings to OpenBSD.

Re:Security as a trade-off

Fortunately, there are open source operating systems available where security is less of a trade-off and more of a priority,

Except that isn't a true statement, and you are demonstrating the very misunderstanding Linus is talking about.

By definition, security is a ratio between security and convenience. By ratio I mean [security]:[convenience] and adding them together must always equal one (or 100% if you prefer)

Black and white views leave only two options:
a) 0:100 where you have no security and total convenience, or
b) 100:0 where you have total security and no convenience.

Since both of those numbers must by definition add up to 100, you can't possibly have a mixture where one number is 100 and the other number is anything except 0.

This is why in the real world you pretty much never do have a 100 or 0 in the mix, but something else.
For example you can have 75% secure but that dictates only 25% convenient.
Or you could have 33% secure with 66% convenient.
You can't have 100% secure and 100% convenient because that totals 200, not 100.

To get 100% security such as is being demanded by these "security researchers", that demand dictates 0% convenience, and that option is already available on any OS you would like. Simply unplug ALL cables from the PC (including power) and you will have a completely secure but completely inconvenient system.

The researchers are apparently not wanting that despite their claim however, since they are the ones plugging their own computers into power and the network. Their actions contradict their demands.

It really is no different from the end user demanding their computer is not networked, then refusing to do anything except plug in network cables. it is simply not physically possible to have both a plugged in and an unplugged cable at the same time, yet they are demanding that be possible and trying to get other people to make the impossible happen without putting in any effort themselves.

Your OpenBSD being more secure than Linux claim is true, but that dictates OpenBSD is less convenient than Linux being true too.
So long as people like yourself demand 100% convenience, knowingly or not you are also demanding 0% security, so have no right to complain when you get exactly what you are asking for, as is the case here.

Re:Security as a trade-off

[mlw4428]

Do people still believe that Windows itself is uber insecure? Windows has mandatory access control, pushed UEFI, supports ASLR, DEP, and a host of other technologies, and they even virtualized their authentication system (LSA) to minimize the chance that you can gain control of the authentication system. I will agree that a host of drivers and software that runs on Windows is insecure, but the OS itself is every bit as secure as a standard Linux setup is. No it's not perfect and I'm sure there are philosophical security design decisions that someone will argue is the "wrong way". But the label "insecure as fuck" hasn't been applicable since Windows 7 came out.

Re:Security as a trade-off

That was a wild exaggeration and very clearly wrong.

So was this:

Windows is insecure as fuck.

You're a fucking troll and no amount of apologizes or backtracking is going to change that.

Re:Security as a trade-off

That says more about Blender than it does about OpenBSD.

Re:Security as a trade-off

OpenBSD is my "go to" OS for laptops. Anybody using WiFi (thereby exposing your machine directly to the Internet) without OpenBSD is crazy.

Re:Security as a trade-off

Our whole network runs OpenBSD, as do our laptops. It's terribly useful.

Re:Security as a trade-off

"In fact an OpenBSD installation with customer compiled packages will probably be less secure than a full blown BSD/Linux distribution that offers all those 3D modeling and animation packages out of their own repositories."

This is beyond stupid. It makes no sense whatsoever, and shows a total ignorance of security, software, and its principles.

Re:Security as a trade-off

True, we're no longer in the days of WinXP. Windows today 'looks' a lot more robust... BUT, until we can look at the code, we can't really say that it's "every bit as secure as a standard Linux setup is."

Until then, you are just relying on security through obscurity.

Re:Security as a trade-off

[squiggleslash]

I believe you got the last letter wrong. Garrett doesn't believe Linux has unfixable shortcomings, he believes the development process (ie Linus, not Linux - though this is an unfair personalization that I'm sure he'd be troubled with) is the problem.

There's no reason to believe that he believes Linux is a worse starting point than one of the *BSDs, nor that any of the *BSDs lack the problems the Linux process has (FreeBSD's politics are legendary, as is OpenBSD's Theo De Raadt's temper.)

Re:Security as a trade-off

[Burz]

I, for one, think OpenBSD's approach is dead wrong. Its not just the low functionality... its the philosophy of "security through correctness" /while/ turning a blind eye to formal verification. That makes OpenBSD the wost of all worlds, IMO: Neither small-and-tight nor large enough to be functional, with a concept of correctness that boils down to a slogan.

I'll pit a Xen-based Linux system like Qubes against OpenBSD any day, and I won't even take points off for not being able to run apps. Even Windows 7 running on Xen Qubes is ultimately more secure.

This is also what Torvalds is missing in this debate: He's kind of in denial that much of the Web runs on Linux installs that are encapsulated within type-1 hypervisors like Xen. Linux and *BSD have already been demoted WRT security.

Re:Security as a trade-off

Having said that wouldn't you be potentially better off starting with a guaranteed secure system and adding one potentially insecure component than starting off with a potentially less secure system and adding one potentially insecure component?

Sure, your self-compiled version of Blender might have a bug with security implications - but at least you don't need to also worry about openssh, httpd etc being secure,

Re:Security as a trade-off

[Holi]

And it took Apple to take it mainstream, reducing it's security in the process. So it kinda falls into what Linus was saying.

Re:Security as a trade-off

[Burz]

Congratulations: You have a 21st century terminal.

Its not worth the tradeoff anymore and here's why: Malware has expanded into attacks on hardware and firmware, two layers of our systems that have plenty of exploitable quirks of their own.

I've been using Xen Qubes for about 3 years: Using the IOMMU it automatically 'jails' NICs within a virtual machine at the hardware level. The result is that my Wifi/NIC can be attacked, and if they succeed they will only gain a foothold that confers the advantages of taking over one of my routers. My other VMs are insulated, and the non-networked ones completely isolated from mischief.

Other hardware can be selected for isolation in the Qubes GUI, and the Split-GPG and Anti-evil-maid protections are also quite compelling.

OTOH, OpenBSD's kernel is about 10X the size of Xen (where the BSD mantra of 'correctness' has a much tighter focus). As isolation mechanisms go, I trust Xen before any monolithic kernel. The upshot is that Xen also gives me the rich features (incl. drivers) of Linux and Windows.

Re:Security as a trade-off

[tnk1]

BUT, until we can look at the code, we can't really say that it's "every bit as secure as a standard Linux setup is."

This article blunts that point at least a little bit.

You can look at the Linux kernel code all you want, but if the suggestions of the security experts who *do* review the code and find the bugs are ignored, is that actually any better than what you get with Windows? All you get is that you *know* Linux is insecure as opposed to just assuming it with Windows.

You have to fix the bugs or implement the security features for the code review to actually have an effect.

I will grant, code review makes a risk assessment of Linux a lot easier than Windows. That is an important advantage, but if the risk assessment of Linux is "fatally compromised", then you may not be able to compensate for it and you start going to software providers who might be able to offer a better track record.

Ultimately, Linus may be right about what people want. There is certainly a good argument out there about making something that people can use, instead of building a locked box which is secure but which have no applications.

However, sometimes what people want changes and instead of running with the bulls, you're being run over by them when they panic and suddenly change course. Sometimes a little compromise in the interests of the future of the platform make sense, even if they are somewhat counter-intuitive at the moment.

Re:Security as a trade-off

[tnk1]

Maybe he has forked Linux and has actually fixed the issues, but he'd prefer that the kernel come that way without having to be patched.

Or he needs Linux to do certain things, and there is nothing better out there (which is Linus's point).

At the same time, Linux may make CoreOS possible, but unless Linux improves, it may also represent a big problem for CoreOS.

It's sort of like that "free" car your relatives give you when you're a teenager. You can't get a car yourself because you're too poor, but if it keeps breaking down when you try to make use of it to go to your job at the supermarket, you could find yourself wishing there was a way that car would be more reliable. And, it might someday get your ass fired while the guy you laughed at for biking to work every day actually got to keep his job.

Yeah, biking like using some other kernel may be a pain in the ass, but bikes and well designed kernels are easy to fix, and the extra work actually makes you healthier in the long run.

Re:Security as a trade-off

[Noryungi]

OTOH, OpenBSD's kernel is about 10X the size of Xen (where the BSD mantra of 'correctness' has a much tighter focus). As isolation mechanisms go, I trust Xen before any monolithic kernel. The upshot is that Xen also gives me the rich features (incl. drivers) of Linux and Windows.

Awwwww, you are so cute. You trust Xen more than kernel xyz? Really?

First of all, please read this.
Then take a look at this.

There are, let's see... right now, 35 CVEs assigned to the Xen project, in 2015 alone? 40 CVEs in 2014?

Compare and contrast with the number of CVEs published for OpenBSD. And the number of patches available for the latest version (5.8) of OpenBSD.. Here is a hint: 99% of these patches do not imply your machine is going to be ''owned'' by someone exploiting the bugs found. Yes, even the OpenSMTPD patches are pretty mild.

You can keep your Qubes OS, thank you very much, I'll stick to OpenBSD, despite all its defaults and warts.

Words of wisdom to meditate:

You've been smoking something really mind altering, and I think you should share it.

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.

You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

(Source.)

Say what you will of this guy, he has got a point. Virtualization is great, but not for security. Period.

Re:Security as a trade-off

[i.r.id10t]

Dunno. At least in older versions of Windows someone had to attack and succeed before information could be taken out of it. With Windows 10, the OS takes a short cut and just starts sending information out...

Re:Security as a trade-off

While Qubes may be more secure, it is in many ways much less functional than OpenBSD.
AFAIK it lacks 3D acceleration, and instead of working in your "normal" home directory, where you can share everything between apps etc, apps have to use a sanitized temporary storage, which requires extra file management on your part.
Also, readonly-ness of apps and configs and such.
Don't know a lot about it (so go ahead and correct me), but apart from available apps, it is clearly less functional than your average OpenBSD system.
I assume things can be configured to be more functional, but that can compromise security (whether acceptably or not).
Ultimately it depends on what you need of course, tool job yada yada.

Re:Security as a trade-off

[epyT-R]

Garrett has a problem with linus' unwillingness to make 'social justice' part of the mailinglist interaction style.

http://linux.slashdot.org/stor...

Re:Security as a trade-off

There's also the "since your OS is secure, it's perfectly OK to leave unencrypted SSH keys lying around, and to generate them by default. We can't be bothered to use chroot cages, but boy, we're so secure we can just leave all our keys lying around unprotected, because our technology is so perfect!"..

The Subversion people have the same attitude problem, with less pretense. "If your system isn't secure, why are you usin g it?" is the attitude.

Re:Security as a trade-off

[unixisc]

This analogy is weak, given that both Linux and OpenBSD are free. So either could have been the base of CoreOS, and had Garrett picked the latter, a lot of issues that he complains about in Linux could have come readily fixed

Re:Security as a trade-off

[Burz]

I'd disagree on most points. Although 3D is a challenge for the Qubes project, it is possible to securely use it... if you dedicate a second video card to a VM. Fully integrated (properly virtualized) 3D is in development. Anyway, who uses OpenBSD for 3D apps??

Qubes does not use temporary home dirs by default (unless you're using a disposable VM).

Readonly-ness of apps/configs is a feature of Qubes' template-based VMs. If you don't want that, then create standalone VMs. Its your choice.

Re:Security as a trade-off

[Burz]

See my other response here.

TL;DR... Sorry, Xen has far, far fewer major vulns than Linux and I was being generous in the linked comparison. Type-1 hypervisors are firmly entrenched in security culture. They are one of the few things that actually work.

As for OpenBSD, too many of its vulns are marked as partially fixed. No thanks. The user base is still miniscule and coasting on a kind of security by obscurity. Plus, there are now L4 distros that are about as functional.

The 'point' about x86 is disingenuous. I don't see you suggesting different hardware......

Re:Security as a trade-off

Actually formal verification has indeed been used to check certain parts of OpenBSD. Usually the tradeoff of something like sel4 or the muen kernel is that you get strong proofs of a very minimal core, but as soon as you go outside of the core formally verified piece, there are no guarantees. Formally verifying a fully posix compliant OS is an extremely difficult task. OpenBSD strives for a middle ground of providing a posix compatibility and many many defenses against programmer error. It is a decent trade-off.

That being said, I wish more static analysis would be done on the kernel (i.e. coverity and similar).

Re:Security as a trade-off

Your comment sounds like complete FUD from someone who has never used OpenBSD or has no clue what they're talking about. Where do you get that OpenBSD user base is miniscule from? There is no obscurity about OpenBSD security. Total nonsense. They actually publish a lot of papers on the innovations over the years. Typically they invent stuff that linux distros try to add half-heartedly 10 years later. I pretty much guarantee the recent "tame/pledge" work they've done will show up in linux distros... oh around 2025.

ps, the fact that you're not worried about hypervisor security worries me. The xen bugs over the years have been pretty scary.

Re:Security as a trade-off

[Bengie]

Xen is about 10x larger than bhyve. Talk about bloatware.

Re:Security as a trade-off

Enjoy your partially-fixed bugs. LOL

Security isn't a product

[grub]

Security in Linux has been looked at as something you bolt-on after the fact. It was not designed from the ground-up with security in mind. Look at OpenBSD as an example: rock solid security and when a rare remote exploit is found, it's usually news on sites like /.

Re:Security isn't a product

[drinkypoo]

Security in Linux has been looked at as something you bolt-on after the fact. It was not designed from the ground-up with security in mind. Look at OpenBSD as an example:

Uh no. OpenBSD is based on legacy BSD code. It's not designed from the ground up for security. It's being implemented after the fact.

Re: Security isn't a product

OpenBSD is curated from the ground up with security in mind. And that's what is important. If you visit OpenBSD mailing lists, you'd see that the people who get flamed are those who take a slap-dash approach. People who haven't even read the Man page get no quarter.

Re:Security isn't a product

[grub]

From their homepage: "Only two remote holes in the default install, in a heck of a long time!" Granted the default install can't do much, but the code was gone over in a massive audit. Everything is still checked for correctness.

Not saying Linux sucks, but I sleep better at night knowing OpenBSD powers much of what I am responsible for.

Re:Security isn't a product

[gweihir]

That is complete nonsense. Any UNIX-like OS comes with a lot of security considerations right from the beginning.

Re:Security isn't a product

BSD, so rock solid the NSA was able to sneak in a Back door...

Re:Security isn't a product

Please find a list of current OpenBSD exploits.
Thanks!

Re:Security isn't a product

[Burz]

I sleep much better knowing Xen is 1/10th the size of OpenBSD's kernel (which is still monolithic like Linux). The bolt-on-security-afterward mindset has led to one very positive trend: Running Linux instances under type-1 hypervisors.

Think about how much of the Web (indeed, the world) runs under Amazon AWS/EC2. That is Xen.

Linux mostly provides features, and while Torvalds has not fully woken-up to this fact, the software ecosystem has and it is providing a better form of security-correctness than the BSDs can.

Re:Security isn't a product

Umm...so how many 'remote holes' are in the 'default install of Linux'? And be careful here, I do NOT mean 'default install of Ubuntu', The point being is that as you note the default install can't do much'..so strip away all that extra stuff that is a 'distribution' & leave only those bits that are equivalent to a 'default install of OpenBSD'...now, how many 'remote holes' are in that 'default install of Linux'? I truly don't know myself but given your caveat about OpenBSD I'd wager to say 'about the same amount' and it's likely due to the same reason 'bugs' NOT 'security design'.

Re:Security isn't a product

There are exploitable kernel problems in the current Linux kernels that can create a remote shell with certain malformed packets.

Re:Security isn't a product

Actually yes. OpenBSD security is not "implemented after the fact". Many of the ideas are brand new. And although Theo can be difficult to work with sometimes, his real genius is in the way he's smartly integrated new features without breaking any of the unix ecosystem. In my book the guy is a genius. And it's the reason I switched over from Linux to OpenBSD a few years ago. Actually as a funny aside, I recently tried to install Linux on my OpenBSD laptop for a commercial app and I was amazed how every distro I tried failed at the install stage. Has Linux hardware support gotten that bad over the years? Pretty surprising given that the OpenBSD install was flawless even though it has the rep for smaller hardware support.

Re:Security isn't a product

[drinkypoo]

Actually yes. OpenBSD security is not "implemented after the fact". Many of the ideas are brand new.

And they are being implemented on not just a legacy operating system design, but actually a legacy Unix code base. Therefore, as I said, security is being implemented after the fact. They didn't throw away the legacy code and start over, they're replacing it one piece at a time. There are clear benefits to that model, but like I said, it's security being implemented in BSD after the fact [of its development]. Why is this difficult to comprehend?

And it's the reason I switched over from Linux to OpenBSD a few years ago.

The last time I tried to use OpenBSD even as a router, its poor driver support preventing me from doing so. It didn't support my NICs, hilariously. This is the one thing that almost everyone agrees should be done with OpenBSD. Problem is, they reject driver patches on specious grounds. The one I needed had been rejected (found it on the list) on the basis that there might be a patent conflict issue with Linux, although they only got some values from there and it's already been established that isn't an issue as the licenses are compatible to that extent.

Pretty surprising given that the OpenBSD install was flawless even though it has the rep for smaller hardware support.

Even FreeBSD has shittier hardware support than Linux, and OpenBSD is much worse than that. The fact that it didn't affect you is meaningless.

Re:Security isn't a product

wireless in linux blows. openbsd totally owns linux on the front of wireless.

Re:Security isn't a product

Pretty surprising given that the OpenBSD install was flawless even though it has the rep for smaller hardware support.

Even FreeBSD has shittier hardware support than Linux, and OpenBSD is much worse than that. The fact that it didn't affect you is meaningless.

wow. you are really drinking the linux kool-aid. linux has seriously deteriorated over the years. and the stink of arrogance from linus about security is unforgivable.

Re: Security isn't a product

Too bad OpenBSD is a pain in the ass to install and get anything useful running.

If all you need is a kernel, sure it is very secure but 100% worthless.

Linux the OS vs. the Kernel

[CajunArson]

Linux the OS certainly has had numerous real-world security problems that need to be addressed. I don't particularly care about the semantics of "Oh it's just a kernel!" because I could play the exact same game with Windows where Windows kernel vulnerabilities aren't super common either. Guess what: Linux and Windows both run the same web browsers these days, and that's a cross-platform security hole no matter who wrote the kernel.

Additionally, the biggest security hole I see now is Android due to the fact that it's damn near impossible to actually get upgraded software to fix the numerous holes.

However, Torvalds' direct responsibility is the kernel, so in this particular context I'm not going to give him too much grief. The Linux kernel does actually include extremely sophisticated mandatory access control systems like AppArmor, SELinux, etc. However... and this goes to his point... these systems are used sparingly because they are REALLY complex and lead to all kinds of usability issues for unsophisticated users (And "unsophisticated" here could easily mean a skilled Unix sysadmin with years of experience. These MAC systems are *not* considered "normal" in UNIX).

So basically: Yeah, Linux is not perfect. Nothing out there is perfect. However, the kernel actually does have a bunch of sophisticated security facilities. Maybe more work should go into making these sophisticated security features more accessible and useful to regular people.

Re:Linux the OS vs. the Kernel

And maybe those tools are hard to use BECAUSE of how Linus views security. Having a negative, derisive attitude towards security instead of actively, cooperatively working with those focused on security could be what leads to the situation in which security-oriented kernels/distributions are slow and difficult to administer.

Re:Linux the OS vs. the Kernel

[LichtSpektren]

I'm not a professional sysadmin, but I don't find SELinux particularly difficult to administer--a little annoying perhaps, but not out of reach for mortals. AppArmor is very easy to use. Most of the time I don't have to bother with either of those. I install Ubuntu MATE, turn on ufw and automatic security updates, and bam. That's all I need.

Almost all of the serious vulnerabilities Linux has experienced over the years had nothing to do with kernel. Shellshock and Heartbleed were flaws in Bash and OpenSSL. Contrast this with Windows: exactly *how many* critical exploits have been found over the past two decades?

Re:Linux the OS vs. the Kernel

Having a negative, derisive attitude towards security

Where did you find grounds for that? Or are you one of those who just like to pour some hate on Linus now and then?

Re:Linux the OS vs. the Kernel

[Danathar]

It's MORE than Semantics.

Linux is not an OS. It never was. You can't download and install "Linux". You download an OS that uses the Linux Kernel (sometimes modified). BIG difference. There can be HUGE differences between OS distributions that use Linux as a Kernel.

Microsoft writes the Kernel to Windows AND the surrounding software that supports the Windows operating system. That's VERY different from the OS community that uses the Linux Kernel, or the OS community that uses the BSD userspace tools and libraries that they want (MacOS, OpenBSD, FreeBSD, NetBSD)

There is a reason Stallman refers to it as GNU/Linux, he is pointing out that Linus and crew are NOT responsible for the stuff surrounding the Kernel, and shouldn't get the praise or be damned for security vulnerabilities in things like standard C libraries, command line shells like BASH, etc.

Re:Linux the OS vs. the Kernel

I'm not a professional sysadmin, but I don't find SELinux particularly difficult to administer

Exactly, people only think it's a nightmare because other people say it is on messageboards. There's a learning curve, but once you have a handle on it, you're the company SELinux expert and another bullet point on your resume.

Re:Linux the OS vs. the Kernel

[sjames]

Not to mention that the kernel supports separated privileges and can actually be used in a rootless system but in practice, it never is.

Re:Linux the OS vs. the Kernel

I don't particularly care about the semantics of "Oh it's just a kernel!" because I could play the exact same game with Windows where Windows kernel vulnerabilities aren't super common either.

It's not the same game. Remember some critical IIS vulnerabilities from this year where it was known that, for performance reasons, some http parsing was done in kernel space.

The point is that safety alone is not productive.

[aussersterne]

We are talking about securing tools. But the point is that tools do things. We want tools to help us to accomplish the things that the tools do.

A perfectly safe hammer is entirely possible. Make it out of flame-resistant, soft, synthetic materials and fill it with something equally soft. Shape it more like a ball than like a stick, so no-one can accidentally stick it in their mouth and suffocate.

Of course, now you have something that can't be used to pound in nails—but it's entirely the safest hammer on the planet.

Will anyone buy it or use it? Of course not. And they'll still need something with which to pound in nails. That's Linus' point.

Matt Garret?

The same Matt Garrett that accepted a shit patch and got kicked out of Intel for it? The one that fart-farts to anyone who doesn't see his point of view? The one who deems the wholy commuinty toxic and problematic?

Garrett has no business beeing anywhere near the kernel or security issues

Holy hell is slashdot pushing the anti-meritocracy agenda here.

Re:Matt Garret?

That's because meritocracy is a myth, akin to jesus christ or the lockness monster

Re:Matt Garret?

The same Matt Garrett that accepted a shit patch and got kicked out of Intel for it?

Because I'm curious... source?

Re:Matt Garret?

[Eunuchswear]

The one that fart-farts to anyone who doesn't see his point of view?

His blog, his rules.

Every time I've seen him fart-fart some post it's because the poster couldn't read the clear and obvious warning.

Re:Matt Garret?

[gweihir]

Incompetent and unaware of it. This person qualifies. For these idiots, it is always others that make the mistakes, never they themselves, and hence they never produce anything good because they do not learn.

Re:Matt Garret?

[0xdeadbeef]

His blog, his rules.

There it is again, that right the social justice zealots assert for themselves but don't allow for people like Linus Torvalds and the Linux community.

Re:Matt Garret?

>Every time I've seen him fart-fart some post it's because the poster couldn't read the clear and obvious warning.

Just curious: how would you know? The fart-fart style of censorship having destroyed the original comment.

What to use? Hmmmm.

Do I keep shelling out money for an operating system that is the number one target of hackers, malware, spyware, which has already bit me in the ass by visiting a single (not porn) website, and frequently crashes? Or do I install a free, less known, not as noob friendly, more secure, almost zero crashes operating system? Nah... Microshaft can stuff it, Installed Linux since Ubuntu 10.04 and will never go back to the dark side. I do hate Unity though, gnome-flashback gives me that warm fuzzy feeling I'm used to.

Re:What to use? Hmmmm.

It's okay to not like Windows, but be real. Windows since 7 have gotten security right. Arguably more so than Linux.

Re:What to use? Hmmmm.

[jedidiah]

Nope. The current Windows continues to be a threat to it's own users who need constant hand holding from either corporate IT or some other form of (unpaid) onsite tech support.

That's because the NSA got to Torvalds...

He's making the security suck on purpose, and then telling you security doesn't matter anyways. I'm old enough to remember when Linux was actually kind of exciting and fairly good. Clearly, those days have passed.

Re:That's because the NSA got to Torvalds...

[U2xhc2hkb3QgU3Vja3M]

Yeah, Linux has now become a commercial, almost for-profit operating system. That's why I'm switching to a Mac.

Fight for your bitcoins!

Re:That's because the NSA got to Torvalds...

What kind of idiot modded this comment as a troll? Is your sarcasm detector broken, shithead?

Linus, As Always, is Full of Excuses

The reason Linux is not more secure than it could be is singular: Linus' draconian "my way or the highway" development process. I have seen many security patches submitted to the kernel over the years, only to see them cast in the trash by Linus in one tirade or another over specialized pedantry. I've seen solid security patches rejected over wording in comments.

I'm honestly shocked that the kernel hasn't been forked.

Oh wait. It has.

Re:Linus, As Always, is Full of Excuses

That's bullshit. SELinux, AppArmor, and such things exist, and introduce features that none of the *BSDs have.

This article is the geek-feminism clique (i.e. val hens^Waurora, mjg59, sarah sharp, etc.) trying to push Linus out of their way. They'll fail as usual, and then go on to the next thing.

Re:The point is that safety alone is not productiv

[postbigbang]

It's not that black and white at all. The OSHA-like examples of stupidity in motion don't apply here. What is present is an enormous crime effort to make money from other's computing misery. Look at what's happened, in terms of breaches, thefts, extortion, and just plain misery.

The problem starts with every coder everywhere, every sysadmin, network engineer, and web designer. The culture of security starts at the top, and here, at the Top of Linux, Linus brushes it off. These aren't nutters or nutjobs, these are the wounded, the broke/bankrupt, and those rapidly looking at systems infrastructure as if it's a joke.

This article is pure FUD

[LichtSpektren]

TFS makes the article look rather balanced, but if you actually read it, it's pretty clearly FUD attempting to make the kernel team look indifferent (or even incompetent) regarding security. It blames the "towelroot" Android exploit as being the fault of Linux, and compares Linux security to car manufacturers in the 1960s willfully avoiding seat belts and other safety mechanisms. Was the author bribed by Microsoft?

Re:This article is pure FUD

>Was the author bribed by Microsoft?

It's Matthew Garrett, given his history this is not outside the realm of possibility. But nasty case of sour grapes is a more likely reason.

Re:This article is pure FUD

Was the author bribed by Microsoft?

More than likely, author incompetence fed by experts who obviously can't agree, collaborate, and fork their own "Secure Linux" kernel which would, you know, make the whole article moot. And that's the part that's most disingenuous about the discussion: when security experts themselves can't seem to agree on which sort of "seat belt" to use and it's clear that it's more about subjective opinion and not merely use-case specific needs (which would just mean having different profiles and incorporating the different sorts of countermeasures).

The other real problem is that "seat belts" aren't the best analogy but instead the better comparison is to the early years of cars when 12mph was the speed limit and so would equate to having speed limiters in cars to never go over that limit. But even that wouldn't quite be a perfect analogy. Even better possibly would be cars that were limited to carrying exactly 200lbs while going that 12mph. Because it's invariably the outward facing programs and their ability to be quickly exploited that's the core issue and infrequently the actual kernel that's at fault.

And that circles back to the story about MS, which they mildly bring up in the article. The big issue they miss about MS was that not only were they indifferent to security at the time, they actually endorsed horrible security practices like ActiveX. Admittedly, it was intended for intra-office work and the whole Zones setup was to prevent it from being abusable, but Java as a platform* was much more inline with what was needed. It's why the dotNET Framework was created. Yet even still, MS has a lot of security issues today in their web browser even if they've abandoned ActiveX and taken much more proactive steps to avoid exploitation.

Overall, security is a process with a trade-offs and I readily see why people take issue with Linus not seeming proactive enough. In the end, though, I think it's hard to well qualify what is the best steps to take with such a complex issue. Certainly, though, I do think Linus takes security seriously and the part about "indifference" seems the most libelous statement made.

* Not to say that Java hasn't proven to have all sorts of robustness issues (as did/does NT, but then very few people focus on how much MS was pushing NT's robustness and how absurd those statements were**). But if MS had cared and wanted to make a better platform, they could have done to Sun what Google does to MS now: fuzzy test their code, focus on stuff that's slow, and basically by reputation make the Windows version of the software the de facto best software to use even if they're are legitimate other forks/platforms. Instead, they went NIH and went with an abysmal "Do you want to be exploited with ActiveX-based software?" yes/no dialog. That's precisely the wrong way to go about doing 99.9% of internet technology.

** This actual leads to the technicality that NT might be robust but then 99.9% of software runs on Win32/Win64 which runs on NT. The underlying kernel may be technical robust (well, there was the whole backspace vulnerability) but if the useful interface which everyone uses is readily exploitable it's a moot point. Which again loops back to the point of layers and where you have to chiefly worry about exploits, as much as you want robustness all the way down.

Re:This article is pure FUD

Having a secure kernel is not moot. It is equally pointless to harden the outward-pointing applications if the kernel has holes. If those outward-looking apps are fixed (or not installed), the attackers will just start looking for other vulnerabilities, it's a cat-and-mouse game. And if exploiting vulnerabilities in the apps depends on naive or predictable behavior by the kernel, avoiding such behavior would make the entire system somewhat less susceptible to as-yet undiscovered (or unpublished) flaws in the apps.

Re:This article is pure FUD

[PhrostyMcByte]

No kidding. The thing continually suggests that Linux is insecure on all number of ways (none are mentioned specifically), and that Linus is indifferent toward security. It has this completely useless statement to try to create a false association between Linux and the Ashley Madison hack:

Versions of Linux have proved vulnerable to serious bugs in recent years. AshleyMadison.com, the Web site that facilitates extramarital affairs and suffered an embarrassing data breach in July, was reportedly running Linux on its servers, as do many companies. Those problems did not involve the kernel itself,...

Re:This article is pure FUD

[LichtSpektren]

What you wrote is true, but that's not why this article is despicable. The image the author is painting is one where Torvalds wakes up in the morning, arbitrary tosses a bunch of new goodies into the kernel according to his mood that day, and within a minute everybody's machines are getting their kernel updated. We should be very alarmed by this, because Torvalds is a loose cannon that doesn't care about security and brushes off the opinions of security experts. So don't use Debian for your webserver, pay $899 now for Windows Server 2012!

Unless you're compiling alpha-release kernels on production machines, the reality is that all of the changes merged into the kernel go through the Linux security team (composed of paid experts from IBM, Novell, VMware, Google, etc.--companies that have a vested interest in Linux being secure and stable), AND THEN it goes through the kernel teams at Red Hat, Debian, Android, Canonical, Fedora, Arch, Gentoo, etc. all of whom report any vulnerabilities back to the Linux team. If all of these companies and distro teams were getting their patches shunned, they would fork Linux--but it hasn't happened yet. What does that tell you?

Re:This article is pure FUD

[Eunuchswear]

It blames the "towelroot" Android exploit as being the fault of Linux

But towelroot was the fault of linux, no?

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3153

Re:This article is pure FUD

[Eunuchswear]

It's Matthew Garrett, given his history this is not outside the realm of possibility. But nasty case of sour grapes is a more likely reason.

The article was written by Craig Timberg. Matthew Garret does not write for the Washington Post.

Re:This article is pure FUD

[LichtSpektren]

It was indeed a kernel vulnerability, but it was fixed very promptly. The reason why it was such a notorious Android exploit is because phone manufacturers and telcos intentionally prevent security patches from going through (so you'll buy a new phone).

You might reply "so what?, it's a kernel exploit", but allow me to point out that if you used just about *any* operating system and turned off security patches, there would be similar exploits. OpenBSD included. Security is not a state, it is a process. One should judge how secure an OS (or in this case, OS kernel) is not just by how many vulnerabilities are discovered, but how critical they are and how fast they are fixed.

Re:This article is pure FUD

Having a secure kernel is not moot.

Given that that's not what I said, that's pretty well a strawman. What I DID say was that having a technically robust kernel might be a moot point because while it should prevent against system crashes, it means nothing against potential worms, malware, botnets, or accessing other user accounts which nearly if not entirely reside in the user/Windows subsystem layer. Ie, you've still got a heavily exploitable system, but at least it'll have great uptime.

It is equally pointless to harden the outward-pointing applications if the kernel has holes.

And this is patently false in plenty of circumstances. Whenever physical access can be controlled, all kernel exploits that are local are only exploitable by those with physical access and those outward pointing applications. There's a reason web browsers are the main attack vector, followed behind with email and the like. To actually get to the point that kernel bugs are an issue requires having exploits that can access the kernel in some fashion in the first place.

If those outward-looking apps are fixed (or not installed), the attackers will just start looking for other vulnerabilities, it's a cat-and-mouse game.

And yet it'll always be that way because key loggers, botnets, etc don't require kernel vulnerabilities to function. And honestly most if not all mitigation factors can be done in user space with little or not kernel support (which, btw, is the area we're treading more into than actual kernel bugs) and that's about protecting the outward facing apps, not the kernel.

And if exploiting vulnerabilities in the apps depends on naive or predictable behavior by the kernel, avoiding such behavior would make the entire system somewhat less susceptible to as-yet undiscovered (or unpublished) flaws in the apps.

This is the one point I would agree with. However, the vast majority of the time such exploits have in the past not been at the kernel level but at a higher level through programmers naive trust in input from untrusted sources and passing values around unescaped (the shellshock vulnerability was an actual bug which wasn't the developer's error per se (as I understand it)). Still, it is a real attack vector that should be addressed.

The overreaching point, though, isn't that one shouldn't try to secure the kernel. That wasn't my point. In fact, it's unclear what the security experts in the article were really after except a mindset shift on Linus' part on security. Because at a functional level, there's been plenty of additions made to the kernel to allow for user software to be sandboxed and for security risks to be mitigated.

That the kernel itself isn't sandboxed under its own mitigation layer has probably more to do with the pointlessness of it. You'd end up in the same situation as Windows. The NT kernel may be secure, but functionally the Windows subsystem is the kernel people know and use. And if you probably get it stuck in a crash/reload loop, you've got an effective DoS attack that makes the NT kernel technically being up a moot point (well, maybe not if you can still ping the system or otherwise get some rudimentary data out of it and that's all you really need).

It's the same situation with OpenBSD. Sure, it has a robust and really secure core system, but its functionality is very limited. This isn't to bash OpenBSD by any means, btw. If OpenBSD's core system is all you need, then you're very much set. Yet most software hasn't been hardened to OpenBSD levels and reasonably likely never will be (the man hours to do it are so great that it's unlikely we'll still be using the software by the time it's done). All the mitigation in the world come crashing down very quickly, though, because it's all (as you say) a cat and mouse game and the cat has millions to make on winning.

So, sure, work to secure sof

Re:This article is pure FUD

[Zaiff+Urgulbunger]

^ that Ashley Madison point really irritated me too! If I had mod points right now....

Re:This article is pure FUD

And? Look, the article makes it sound like Linus is totally unconcerned with security NOT that there aren't bugs in the kernel software that could be exploited. Linus not only admits that but places them exactly where they should be...e.g. in the same exact contact as ANY bug that can cause a severe problem whether its security or simply writing all over your file system & wiping out your data.

If the article was about security researches calling for a 'deep code review' of the Linux kernel in order to discover & fix 'security bugs' I have no doubt that Linus would say "AWESOME, knock yourselves out and I will immediately execute any patch you have that fixes such bugs (provided your patch is also not just shit/crap that breaks user space). At the same time he might also say 'While you're at it feel free to look for bugs that cause the system to crash or be unstable or write all over the file system etc" Of course he can't make people do that so whatever goal someone wants to pursue in a 'security audit' is entirely up to them and likely very welcome by Linus.

On the other hand, if these 'security researchers' expect Linus to get all giddy and accepting of changing the way the kernel works so as to guard against these bugs (thus no one has any incentive to do a code review to begin with) AND it will fundamentally change the interaction with developers & user space than Linus is going to tell these 'security researches' to take a freakin' hike.

Re:This article is pure FUD

[Eunuchswear]

So you and Linus think the problem with the Maginot Line was that it wasn't strong enough, not that it was a fundamentally stupid idea.

Defense in depth. That works. Unbreakable fortresses, not so much.

As a security professional...

[SecurityGuy]

I have to say that if this is his position:

His broader message was this: Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs. This is a process, Torvalds suggested, poorly understood by his critics. 'The people who care most about this stuff are completely crazy. They are very black and white,' he said ... 'Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about.'"

He's absolutely dead right and more people in the security profession need to understand what their job is really about. Security is a support role. Our job is to make someone else's stuff work better. Even if you're secret service protecting the president, the core value in your job isn't security for it's own sake, it's making sure the guy in the suit is able to do his job tomorrow.

Re:As a security professional...

While quite true, in some areas security has to be a primary concern.

If the only way for your house design to work is to have an open door to the outside, you shouldn't build it in a crime ridden slum.

Unfortunately "crime ridden slum" is pretty much the real world equivalent to the open web these days.

Re:As a security professional...

[Major+Blud]

"Yes, the goals of the secpro often conflict with the goals of the desktop support technician, but in the end security is more important than usability"

So take your server, unplug it from the network, lock it in a safe, and throw away the key....since security is more important than usability, as you say.

Re:As a security professional...

Throwing away the key is not a secure practice, pretty much anybody could find it in your trash.

Re:As a security professional...

[Cassini2]

If the job was only about securing data, then security professional's would recommend destroying the data. The military has been known to do exactly this. Destroying the data creates the ultimate security.

What makes security people into security professionals, is that the professionals can design systems that allow authorized activities happen smoothly while simultaneously keeping out the bad guys. That is a much harder task than simply securing the data against unauthorized access. It requires the professional to focus on the balance between usability, security and profit.

Re:As a security professional...

Yours is just an excuse to stop considering grsec and selinux, which could have prevented a hell of a lot of bugs

Re:As a security professional...

[s122604]

I've always said this as, turn off the server, put it in a safe, fill the safe with cement, and then drop the safe in the Marianas trench...
I am not responsible for any priapisms this post causes "secpro"s

Re:As a security professional...

And you know what happens when some security measures make something unusable? The users create workarounds, making the whole security effort pointless.

Re:As a security professional...

When a user creates a workaround for an established security policy, that is when that user is fired.

Re:As a security professional...

The fact that the president is allowed to walk around and do his job where he is exposed instead of being locked up in a bunker where he is safe is a clear indication that at least someone is disagreeing with you.
Or rather, that while someones job is to only think about security it is very important that those in charge hold this person on a short leash so that he doesn't go overboard.
Feel free to prioritize security over everything else, just remember that any company that prioritizes security over their core business will be crushed by the competition.
Security serves no self purpose.

Re:As a security professional...

I have a different take, as a security professional. The coding errors that are most commonly responsible for security vulnerabilities are errors that also negatively affect performance and usability. Fixing security problems isn't a "nuanced" process of weighing tradeoffs: it's about educating coders to write god code, rather than just "crap that works." Secure coding doesn't take any more time -- in fact, it takes less due to less time spent troubleshooting -- but it does take better educated coders.

Re:As a security professional...

[SecurityGuy]

What if that user is an executive?

What about the time between them creating the workaround and you identifying it and closing it?

What if lots of people do it? You can't fire them all.

This is my point: If the thing the user is doing is actually important for the business, the business should be HELPING them do it in a secure way. The security role's job is to support the business so that the decision makers understand the risks of different approaches and can make a reasonable choice of which of those risks to accept.

Re:As a security professional...

[SecurityGuy]

Fixing security problems isn't a "nuanced" process of weighing tradeoffs: it's about educating coders to write god code, rather than just "crap that works."

Let me give you an example. Your security problem is that you just hired a guy who plans to steal documents on your Super Secret Widget. He has no criminal record (yet), or other reason for you not to hire him. He has legitimate access to the system containing the plans, copies them, and goes home. Security problems are often nothing to do with software.

Software security is certainly important, but it's only a small part of security as a profession. The default assumption is that all software has vulnerabilities, and that the truth of that has been proven time and time again.

Re:As a security professional...

[PvtVoid]

He's absolutely dead right and more people in the security profession need to understand what their job is really about. Security is a support role. Our job is to make someone else's stuff work better. Even if you're secret service protecting the president, the core value in your job isn't security for it's own sake, it's making sure the guy in the suit is able to do his job tomorrow.

Bingo. And over-zealous security can actually be counterproductive when it gets to the point that frustrated users start to work around it in unpredictable ways in order to get their work done. Case in point: I use a network on a large, open campus that implements highly restrictive network access policies, including "secure" wifi login that requires individual authentication via a custom app. It's a total pain in the ass, and is also notoriously flaky and unreliable. So what happens? Everybody has a rogue wifi access point in their office.

Re:As a security professional...

[PvtVoid]

When a user creates a workaround for an established security policy, that is when that user is fired.

As if the security guy in IT has the authority to fire people.

Re:As a security professional...

[gweihir]

Well said. Otherwise you could just lock the president away in a box or not even power up the computer. Prefect security, perfectly useless. In fact a major part of being a security expert is explaining this to one sort of people. The other sort you have to explain to that some level of security (always based on what the risks in the concrete situation are) is pretty necessary.

Both black and white are entirely wrong and useless in the security space. It is all about finding the most useful shade of gray.

Re:As a security professional...

Why even have the server in the first place? Communication itself is a security risk -- why bother creating a useful product when the only secure thing to do is lock the door, put your tinfoil hat on, and bask in the joy that is the good idea for a product you have.

Re:As a security professional...

[tnk1]

That's not a useful argument. The previous poster discussed priorities, you're suggesting it is either you get to do what you want, or it is the same as if the server was shut off.

Yes, security professionals want things that may make it more difficult to implement features, but rarely are those features rendered impossible. And the ones that *are* rendered impossible perhaps shouldn't have been considered to be desirable in the first place because they were privacy or security disasters waiting to happen.

I have asked for a feature at a past company I worked at where coders would actually provide audit events in the code that get logged so we can see what was actually happening in our own application. It was required for security, but you could argue that it would be useful for people like customer support. It had to wait for a bunch of other features to get done, but we couldn't even talk to the Federal market without audit events being up to snuff. And, because of that, we lost potential customers and our troubleshooting suffered. Security isn't always blocking progress. Sometimes it demands capabilities that your application actually needs in order to turn a profit, even if they aren't shiny.

You have to prioritize security somewhere and whether it is a higher or lower priority, you have to take it seriously. I accept that you may need to get this or that product feature into the code before a competitor, but eventually you build up so much security debt that you can't get out of it without a lot of work, and then the moaning starts about how there would have to be a "complete re-write" to even address security, so why bother?

And then you have some disaster like Target or AM or Sony or take your pick. AM is toast now because their security was hilariously bad. Sony was embarrassed because their security was (and probably is) hilariously bad. I seriously doubt that there was a exec meeting or something where any of them said, "Fuck Security". What happened is that they kept saying that usability or features are more important and security was second, and it *stayed* second, which meant that it *never* got fixed.

Re:As a security professional...

[info6568]

Long article, lo dissect later.

Security is an important part of everything. What happens is that it was not considered as an independent entity before.

I understand Linus point of view, although he is focused in functionality. And this bring some clues to the scene. When we think about just bugs, of course that they need to be addressed because they are problems that didn't need to exist. However, and this is where "security" come into account, there are semantic issues that, not being formal technical problems, derive in terrible lost of data. And if you lost data, why to use the software?

In essence the situation is who needs to deal with these problems. Because they need to be resolved.

A big complication with the Operating Systems is that they are trying to do everything. Then, and this is inevitable, they acquire responsibilities. When your O.S. is small, clean, pure and perfect, you have less trouble, you can make it work better and the security elements are usually outside your control. Then, others work the semantic issues. But when acquiring more power, I am sorry, but the semantic problems are part of your daily problems accept you them or not. And at the end, if you decide not to work these problems, other would need to do so usually creating complicated and dangerous situations.

Re:As a security professional...

[calque]

I've always said this as, turn off the server, put it in a safe, fill the safe with cement, and then drop the safe in the Marianas trench...
  I am not responsible for any priapisms this post causes "secpro"s

Ok, but it's still not secure from James Cameron.

Re:As a security professional...

Disagree. Security is not just confidentiality - integrity and assurance are also parts of the puzzle. Arbitrarily destroying data is as much of a security breach as having it copied by black-hats.

YOUR ANALGY IS STUPID

but what you dont relizee is while you are using the hammer a huge KING COBRA is going to bite you and kill you! but just when it is about to strike, a hawk soups in and eats the COBRA! Then lightning kills you because you swung the hammer two hi!

Re:The point is that safety alone is not productiv

Just... no. Security is taken seriously throughout the industry, ESPECIALLY at the so-called "top" (which is just a figment of your imagination, really). The point is it's taken seriously by people who are using the technology for something else. In service of a greater system, and greater goals. This greater system and pursuit of greater goals is generally what introduces a lack of security, and it is unavoidable even if you never touch a computer.

Re:As a hacker/identify thief...

I completely support both of your positions!

My Experience, Too

I've been involved in IT security in one guise or another since 2002. The single most important thing I have learned about IT security was learned attending a security conference where Bruce Schneider was one of the speakers. His one-sentence line has always stuck with me: "Security is a process, not a product." This one sentence changed the entire way I see security and, as a result, I am free to make better decisions about what I'm doing and why because I'm not focused on say, a firewall, or a router, but how everything in the LAN/WAN works together, balancing the needs of everyone from HR to the nerds in the darkened basement.

Re:My Experience, Too

[oh_my_080980980]

THANK YOU! Put that on billboards with ten foot letters: "Security is a process, not a product."

Something Jennifer Laurence learned the hard way.

Re:My Experience, Too

So is masturbating.

Cheap, fast, secure

Pick two (not that you always have the choice anyway).

Re:Cheap, fast, secure

Windows has none of the above.

Re:Cheap, fast, secure

Windows has surpassed Linux in performance, stability and security. With flying colors.

Re:Cheap, fast, secure

[toddestan]

Well, compared to some things, Windows is incredibly cheap. But it still doesn't beat free.

Linus isn't trying to make it black and white.

[aussersterne]

He's trying to say that if people want powerful, flexible networking, they'll choose an 80% safe OS that enables this easily over a 90% safe OS that imposes lots of overhead costs to make it possible; that people will choose a 60% secure OS that runs their processing jobs in 3 hours over an 85% secure OS that runs their processing jobs in 6 hours.

He's pointing out that people like security well enough, but they want to get stuff DONE even more, and that most people will take the calculated risk to be less secure if it makes them more productive at lower costs. That if there is a less secure but more productive option, up to some arbitrary point (that is different in each case, but that can be inferred by the movement of markets and communities as a whole), they'll choose the more productive option.

And that there is no point in saying "then all of us that produce these things must get together and make highly secure, if less capable stuff, so that all choices are equally highly secure!" because as soon as that happens, a garage coder somewhere is going to have a project on github that says "I got tired of waiting for jobs to finish, so I wrote my own from scratch. It's totally insecure, but damned if it doesn't finish the job in half the time!" and that people will immediately flock to it.

In other words, his goals for Linux aren't for Linux to be the most secure OS on the planet, but to be one of the most useful and used ones.

Re:Linus isn't trying to make it black and white.

[postbigbang]

I believe you're putting words in his mouth. Sleazing on security to get as you put it "stuff DONE" is what got us here. The ends don't justify the means.

And look at the means! Systems security has become battle #1 for many, many IT people.

Re:Linus isn't trying to make it black and white.

[rickb928]

Functionality has become battle #1 for many, many IT people.
Manageability has become battle #1 for many, many IT people.

Your statement is specious. IT has many, many challenges. Security isn't the only one, and may not even be the most important one for some subsets of IT industry. IT is not a monolith.

And when security becomes a sufficient impediment to make functionality decreased, it has then only succeeded in defeating the purpose.

ps - when you can describe an absolute security solution, you have solved a finite security problem. The next security problem then puts the lie to that. Security is not an event, nor is it a task, It is a process.

Re:Linus isn't trying to make it black and white.

[postbigbang]

Never said IT was a monolith. I fully appreciate the many responsibilities, many are now heavily distracted by the fireman's drill of dealing with security issues.

Security is indeed a process, but insufficiently applied as a discipline across IT-- including coders, viz the incredible breaches across industries, governments, and personal equipment. It's now slowing down, it's become vastly more damaging.

Re:Linus isn't trying to make it black and white.

So basically he's co-opting Steve Ballmer's talking points concerning MS "security." Got it.

Ditching Linux for BSD 15 years ago was the smartest thing I've ever done, computer wise.

Re:Linus isn't trying to make it black and white.

Systems security is battle #1 for the incredibly deluded.

Actual systems security is based on design and protocols that actually make a computer/network system secure.

But almost every CEO/CFO on earth is willing to sacrifice security to lower their operating costs, just as they're willing to fire any number of employees that results in a sustained rise in their stock prices. This is why defective computer security is the status quo.

And how does top management address computer security? Well, it involves computers and networks, so make the CIO/COO hold the ticking shitbag. Of course, the CIO that actually understand security will make their recommendations, and the CEO/CFO will promptly reject the recommendations that cost a significant amount of money or inconvenience "important" users. If the CIO wants to keep his job, he's then going to tell his managers they're responsible for implementing/maintaining computer security. And down the pecking order it rolls...

The solution to computer security is really simple. Force financial responsibility upon companies with "inadequate" data security. Make companies liable to civil lawsuits when data breaches occur. They make architects/builders/administrators financially responsible when buildings collapse, bridges fall apart, nuclear power plants meltdown, or create an oil slick of regional proportions. Like magic, systems security is going to improve, at probably triple the previous operating budget. Just like the banks and financial trading companies do. Microsoft and Oracle will finally proactively attack their security flaws, because businesses won't be able to buy their products without exposing themselves to liability. And Linus will "finally" place security issues as a priority, because businesses will cease to use linux, if commercial companies offer a more secure product.

Just stop trying to push your Computer Security Warrior bullshit onto people you don't pay, and aren't directly responsible for the industry's lax security standards.

Re:Linus isn't trying to make it black and white.

"He's trying to say that if people want powerful, flexible networking, they'll choose an 80% safe OS that enables this easily over a 90% safe OS that imposes lots of overhead costs to make it possible; that people will choose a 60% secure OS that runs their processing jobs in 3 hours over an 85% secure OS that runs their processing jobs in 6 hours."

Not all people want to make the same tradeoffs, which I thought was one of the points Torvalds was making. In any case the issue is about system security where the operating system or networking are only one components.

"that most people will take the calculated risk"

Most people aren't calculating it, they are just assuming the risk is worth it. Ignorance of the risk or assumption of the absence of risk is not the same as mitigating risk.

For some tasks low security is unreasonable, or the system may be protected as a whole by other systems (e.g. firewalls around the outside of a less secure centre). For some tasks less than 100% accuracy is appropriate if time is off the essence and one end of the false positive or false negative spectrum is an acceptable risk.

Really Linux security should be seen as only one component of system security, and different levels of linux security may be appropriate depending on the design parameters of the system. It's useful to be able to have "90% security" if your system design requires it and an alternative design is not possible.

Re:Linus isn't trying to make it black and white.

[spire3661]

My god you are a child. You want all the power and none of the responsibility.

Re:Linus isn't trying to make it black and white.

[The-Ixian]

Yes, I administer a small network of about 150 bodies and roughly double that number of devices.

I take security seriously.

However, there are trade offs.

For example. I *could* implement a sandbox environment for all apps, do application whitelisting, strip attachments and links from e-mails and a bunch of other stuff... but these things add complexity and reduce productivity as they inevitably run head-on into usability.

As it is, I do everything reasonable to avoid the worst, but security is definitely second fiddle to productivity.

Re:Linus isn't trying to make it black and white.

[postbigbang]

People in this thread mistake that I believe in draconian security. I don't. I do, however have the facts that systems security is taking a beating like no other time in history, and the assets at stake are now huge. To blow off security as an after thought of some sort of da Vinci-worthy code still strikes me as the height of arrogance. It doesn't speak to the real pain that occurs.

Re:Linus isn't trying to make it black and white.

[youngatheart]

Thank you, you are absolutely right. I suspect most IT jobs have security as one important aspect of a much broader list of responsibilities. (My job certainly considers security of extreme importance, but I'd say I spend maybe ten minutes of my average work day directly on security.)

And look at the means! Systems security has become battle #1 for many, many IT people

That's true, because of course there are many jobs in IT just about security, but that's not the same as saying it is the primary battle of most IT people or even saying it is the primary battle of a significant percentage. If there are a hundred thousand IT people with security as battle #1, that's "many, many!" Nobody cares though, because that's only 1.5% of of the 6,500,000 IT employees in the US.

Vague claims are usually true, and useless.

The more I think about this, the more it irritates me. There are people who educate themselves about risks and mitigation options and build very secure systems within their areas of expertise. I'm in that category. Then some butt-fedora comes along yelling about how things need to be more secure and I then get to explain to my bosses and their oversight organizations why said butt-fedora commentary doesn't apply. I mean, on the one hand, it points out something I'm competent at, but on the other hand, it's a waste of time, because rarely do the oversight people or bosses actually know the difference between what I'm saying and the butt-fedora guy is saying.

Re:Linus isn't trying to make it black and white.

WTF?

You forgot to take your meds today.

Re:Linus isn't trying to make it black and white.

people will choose a 60% secure OS that runs their processing jobs in 3 hours over an 85% secure OS that runs their processing jobs in 6 hours.

I might as well, but it isn't going to be the same OS that I use to access the internet.

I can buy a faster computer, but I can't buy a safer one. So as far as I'm concerned, make the OS safe, and if I find it to be too slow after that is done, then I'll buy a faster computer to run it.

That said, there are certainly ways that one can go too far in trying to achieve security. E.g., it might be tempting to add a lot of run-time checks. Sometimes this is necessary, but it makes a lot more sense to fix the root problem. E.g., rather than using canary values to verify that return addresses are uncorrupted, why not just put return addresses on a separate stack so that buffer overflows aren't able to overwrite them? Similarly, rather than waste a lot of computing power running malware scanners, it would make more sense if the OS simply had a permissions model built-in, so that random downloaded software isn't executed with permission to do everything that the computer's owner is able to do by default.

Re:Linus isn't trying to make it black and white.

You are really stupid.

The fact that Linux runs the worlds infrastructure means it is secure enough.

FreeBSD may be more secure but it is a ball ache to set up and admin and no one uses it.

Point to where Torvalds has rejected a secure feature in the kernel.

He wants the kernel to be useful and secure and those are tradeoffs.

Re:The point is that safety alone is not productiv

[postbigbang]

Were this true, a culture of security would have indeed stanched many of the problems found. Certainly the Linux kernels have been well-thought through. They are not immune.

Just turn off your computer....very secure!

Just turn off your computer....very secure!

Re:Just turn off your computer....very secure!

With intel vPro or an iLO system, I can just ssh in, turn the machine on, upload a CD image, boot the machine from the virtual image and snarf everything. Being off doesn't mean it is secure these days.

Matthew Garrett again

Matthew Garrett again trying to remove Linus from the equation. First they tried with the rants angle, now with the "security" aspect. pure FUD

Re:Matthew Garrett again

I've got the popcorn ready for when he tries to label Linus a sexist or some other kind of modern boogieman.

Re:Matthew Garrett again

mjg59 has a history of trying to push changes into the kernel that would give him security-driven power of veto over basically any feature. Witness Secure Boot and its requirement to remove /dev/kmem, kexec, and a bunch of other things "because they could be used to subvert Secure Boot". Witness the recent BSD securelevels stuff, likewise with hooks all over and next to no interaction with LSM, the mechanism that SELinux and various other mandatory access control mechanisms use just as well. Witness the attempt to get a relatively enormous keysigning framework into the kernel because otherwise it'd be at the mercy of userspace. Witness how each and every one of these changes was argued for on the basis of Security Über Alles, no further discussion required (besides doubling-down on fear).

His earlier work is Macchiavellian, and his latter work is also barely competent.

Fuck Matthew Garrett.

Re:Matthew Garrett again

[epyT-R]

He's already accused him of similar things..
http://linux.slashdot.org/stor...

Re:Matthew Garrett again

You forgot the "sexual harassment" angle that the likes of Sarah Sharp's friends are pushing.

Hence why linus won't be alone with "strange" women at conferences, because they're literally trying to false flag him.

http://esr.ibiblio.org/?p=6907

Funny how all the criticism of Linus makes it in the media, and stuff like this gets buried and/or mocked by "journalists".

Re:Matthew Garrett again

Maybe he can accuse Linus of having once made a joke about dongles, which is hostile towards women. Or perhaps he can find some email somewhere in which Linus said that gay marriage shouldn't be allowed.

And the IT people are hired and fired

[aussersterne]

based on a multiplicity of factors, notably including their ability to support the company's operational needs, NOT ONLY how "secure" the systems are.

QED.

Re:And the IT people are hired and fired

Speak for yourself. My systems don't do anything for the company's operational needs. They're all airgapped and I've removed all input devices. Most secure systems on the planet, they are.

Partly true

So merge the grsecurity patches into the mainline kernel, that's the "Linux" part of Linux/SystemD sorted. Then get rid of the SystemD part. Job done.

Re:Partly true

[barlevg]

That's essentially what Blackberry did with the Priv to make a "secure Android": https://www.reddit.com/r/black... (possibly related: early reviews are saying the Priv has performance issues, e.g. http://www.wsj.com/articles/bl... )

Re:The point is that safety alone is not productiv

[dave420]

Your analogy doesn't seem accurate. It's more like if you had a hammer - all hammerlike and useful, but because of the laziness of the hammer creator, can be remotely made to fly around your workshop smashing into things by anyone wishing to make it do so.

The security holes which do not affect functionality should be fixed, and commonly are not. That is the problem.

I wonder if this is the first time

[wiredog]

Linux, and Linus, have been on the front page of The Washington Post.

Security does not trump utility

[sjbe]

The Security Professional's job is security.

Yes but that doesn't mean their job gets priority over the actual business being conducted. Security is important and serious but it is not paramount.

Yes, the goals of the secpro often conflict with the goals of the desktop support technician, but in the end security is more important than usability.

Wrong. The only way to get perfect security is to make it effectively impossible to do anything useful. Security is very rarely more important than utility even for organizations like the military whose job is security. That doesn't mean security is unimportant or that some utility cannot be traded for security but a company that is perfectly secure will be out of business faster than you can say "Chapter 11".

Your job is really about securing access to data, and nothing else.

Wrong. A security pro's job is to be an advocate for security and help the organization balance security needs against functional needs. Their jobs is to help avoid the landmines and mitigate risk. Someone who doesn't realize this will be useless in their security job. A security pro who actually thinks security trumps all would be like a guard who thinks everyone should be strip searched upon entering a building. It's just not realistic, practical nor will it be acceptable.

Re:Security does not trump utility

I don't think that real security pros have the same attitude as the gp poster.

Highly Amusing

[segedunum]

I find it highly amusing that people who worry about security tend to be those who want to shoehorn shit like kdbus into the kernel.

Re:Highly Amusing

Especially when the official maintainers of SELinux has come out and voiced concerns about how certain parts of kdbus may well compromise SELinux...

Zero Installation.

[BlackHawk-666]

The most secure system is the one with zero installations. At some point though, you need to realise that a system must also be usable, and so you trade some security in order to gain users.

Re:Zero Installation.

But you should also trade some performance for security. At this point I don't really trust either Windows or Linux for doing on-line banking, and I'm not so sure about FreeBSD, either. When the trust level is so low that I feel that I can't use the system for certain sensitive functions, then that system is as useless as if it were completely air-gapped.

Best way to avoid mistakes is to do nothing

[Strange+Attractor]

You are exactly right.

At Los Alamos National Laboratory safety and security are much more important than anything else. So that's how we spend most of our time.

If the highest priority is to do nothing wrong, the best strategy is to do nothing.

Re:Best way to avoid mistakes is to do nothing

> At Los Alamos National Laboratory getting the next round of military funding is much more important than anything else.

Fixed That For You.

Any lab that spent that many billions on the outright failed, treaty violating, military wet dream project of orbital X-ray lasers, necessarily powered by A-bombs, was basically fronting for billions of dollars of fake research to get nuclear weapons into space. The "x-ray lassers" never worked, they were untestable under various treaties, and the small A-bombs "for powering the lasers for missile defense" were like your local gang members collecting copkiller ammo "for home defense". Their only effective military use was to be *dropped* on ground targets, which was relatively easy to design for, and every launch vehicle design had fascinating amounts of "classified space", apparently for the re-entry guidance systems.

Re:The point is that safety alone is not productiv

[Bengie]

To further your point, unplug your computer from power and it's 100% safe from remote attacks.

bsd.mp and Linux 2.2

[emil]

While bsd.mp arrived just in the nick of time as multi-core came on the scene, the architecture strongly resembles Linux 2.2 with one large kernel lock, forcing kernel code to run on only one CPU core at a time.

Linux moved to much finer-grained locks, that allow non-conflicting segments of kernel code to run on several processors at once. While most commercial UNIX has done the same, there is no question that one great big kernel lock is more secure.

OpenBSD is very slowly allowing safe calls out of the kernel lock, and they do value security over performance, so hopefully their userspace will remain very safe.

For those who want to harden Linux, perhaps the 2.2 branch should be revived.

Yup. And when security is a key to operational

[aussersterne]

goals, this is close to what happens. Where truly "hard" computing is necessary, resources are disconnected from networks, etc. People know which side their bread is buttered on, they're not fools. Sure, security is an important "nice to have" but it's not bigger than the task at hand in most cases.

Witness how the public continues to use cloud services, social media services, online commerce, and mag-stripe credit cards, despite regular breaches. They'll bitch and moan, but they're not going to stop doing their stuff.

Similarly, notice how Linux effectively rules the world as THE key component of network and mobile space infrastructure, even dominating big chunks of consumer space (i.e. Android). And meanwhile, OpenBSD is an asterisk.

People want security, sure, but they're not going to choose to martyr themselves (or their projects or tasks) to it. Linus is a pretty smart guy at the end of the day.

TRANSLATION

[cstacy]

What Slashdot readers hear: "Linux is not BSD."
What normal people hear: "Linux is a terribly insecure OS from some total asshole, who by the way doesn't give a shit."
Mainstream Media's message: "Better stick with Microsoft Windows; it's the only thing that's secure."

Re:TRANSLATION

[LichtSpektren]

This. Exactly this. This article is the same classic FUD that Microsoft has been shoveling for years. I'm surprised they didn't end the article with some crap about the GPL license being a virus.

Re:TRANSLATION

I'm surprised they didn't end the article with some crap about the GPL license being a virus.

What Slashdot readers hear: "GPL is not BSD."
What normal people hear: "GPL will let out the smoke from my computer!"
Mainstream Media's message: "Better buy proprietary software and hope that they implement the feature that you want."

Re:TRANSLATION

Really? It sounded to me like "Linux maintainer explains real-world tradeoffs between security and other concerns."
And mainstream media think they are tech savvy if they even know what Linux is. Windows is what everyone sticks with because it comes with effectively every non-Mac computer, and every shitty third party software vendor, including many public-facing government departments, ONLY support Windows.

Re:TRANSLATION

Or it is yet another PR attack on Torvalds in the hopes that he will either change course or step down, so that corporate interests get a kernel they are more happy with...

You obviously don't work for Sony.

[emil]

The job of security is to fully understand the risk, penalty, and consequence of system compromises, and then to suggest the proper tools to manage this risk.

Some people work with data that involves enormous consequences should it be compromised. These people are likely not on Linux if they understand the issues properly.

Security and risk go hand in hand

Linus and the kernel team likely knows what security RISK could exist and have made decisions from it. That's considering they take their time in release fixes vs the agile way of releasing new stuff every 3 months.

Yes, Linus is right that nothing is perfect in the world of security, but Linus needs to realize a number of design decisions could be viewed as bad after the fact....since a bad decision is unavoidable.

It's Always a Balancing Test

[Crypto+Cavedweller]

I trained network guys on installing our company's firewall (hardened Linux OS) for 18 years. I started every class by asking this question: "Is the purpose of the network security?" A few guys would nod, after all I'm the security guy, that must be the answer I wanted, right? NO! The purpose of the network is *getting work done*. Security is a feature, and it must be balanced against other features with one goal in mind: getting the work done at a level of productivity acceptable to management. Perfect security is an illusion. Doesn't exist, won't ever exist. You do the best you can in the environment you work in, and that's all you can do.

Re:It's Always a Balancing Test

That's fine for you and the guys that you're training, but Linus is in a different category. The 'best you can' is very negatively affected if security is an incidental afterthought, rather than something high up on the list of important attributes. Perhaps the quotes from Linus are carefully selected to put him in a bad light, but he does seem to have a very cavalier attitude.

Security is quality

[Shadow+IT+Ninja]

I agree that operating system engineers should not get bogged down in details of security. What they should do, however, is concentrate on those aspects of security which equate to quality, especially stability and transparency. Not crashing in response to unusual input and handling overloads gracefully are really important aspects of security. Likewise, the ability to see what is going on in your OS is fundamental to security. For example, I have argued for some time that the addition of DTrace to Mac OS X is an important security feature. The reaction I get is "That's just a debugger." No, the ability to understand what's going on is absolutely necessary to security. These things do not degrade the user experience or make an OS less usable. They make it better.

Re:Security is quality

[MikeFM]

Better development tools and libraries would be a very good start. Way more useful than a bunch of pointless limitations that are as likely to cause new security holes with all the bugs they introduce.

We are not happy until you are not happy

The trouble is that most people don't care about security until their bank account gets drained, or in another context until a bomb goes off in the airplane hold below them. So some degree of security BOFHery is unfortunately required.

Not just Computers, life itself is this way

[shoor]

People take calculated risks all the time in their lives, and different people will make different tradeoffs. Some are what the general population perceives as reckless, others are seen as overly cautious. There are contradictory aphorisms: "Look before you leap" and "He who hesitates is lost".

Once you've been burned, you tend to be more careful. Look at the increase in airport security recently as an example, or programs to protect against storm damage on the east coast. That stuff is expensive, and you have to feel like it's worth the expense. Same with computers. Is it worth it to go through an elaborate verification process to get into your online bank account? Wouldn't it be safer not to have anything financial done online? If you go online to do something you feel might be risky, try booting from a dvd with no writable storage except a ramdisk which will disappear as soon as you shut down to reconnect your regular hard drive. It's a PITA, but maybe it's worth it. (If you boot from an SSD it's usually a lot faster, and I doubt anybody can suborn an SSD in that situation yet.)

Linux was quoted...

'Only a total fucking retard thinks Linux can be 100% secure! Better security? Then stop writing such shit code you fuckstick!'

Why safety "alone" is productive:

[Burz]

There are different ways to implement security, and I think this discussion of Torvalds' and ours is a sign that security ingrained within large monolithic kernels is a demoted (if not dead) model.

Hypervisors like Xen are at the forefront of security. They embody a sandboxing-done-right philosophy where the baremetal system runs only a small, dedicated hypervisor and all of the rich functionality is contained within VMs. In a system like Qubes, which adds an integration layer on top of Xen that is very small and tight and seals-off known avenues for VM breakouts, you get (mostly) the best of both worlds. Even hardware devices are virtualized in Qubes, and it works.

In this model, the hypervisor acts as a microkernel and the Linux/Windows kernels act as drivers and services. IMO, this is 'microkernels done right'.

Of course, any security model worth its salt won't engender a black-and-white view as Linus complains. One accepts that individual VMs that are exposed to risk (browsing remote web pages, for instance) may be compromised. But a compromised browser shouldn't mean a high risk of privilege escalation (the monolithic kernel disease) and having sensitive data stolen, or the system itself turned into a surveillance or attack platform -- any successful attack on an application should be contained by default.

Re:Why safety "alone" is productive:

[gmack]

You make it sound like no one has ever hacked a hypervisor.

Re:Why safety "alone" is productive:

[Burz]

LOL... Those are bad examples. The first is virtualbox, a type-2 hypervisor. The second one might be exploitable once in a blue moon (generally, the attacker will gain a little info outside any VMs). The third one was from a floppy driver that one gets when installing the full-fat qemu inside dom0 (which seems pointless) -- it also didn't affect Qubes or AWS.

The CVE-2015-7835 which just occurred is a good example of a Xen vulnerability. Still, quantity and severity matter. Linux has racked up 3X the number of CVEs over 5.0 so far this year, compared to Xen. And of those, Xen had zero with a score of 8.0 or higher -- while Linux had a staggering six. Xen has had only two of these (both 8.3) ever, so looking back to Jan. 2015 is being very, very kind to Linux.

I think what the CVE charts are showing is an inherent mitigation effect due to structural features of type-1 hypervisor.

Re:Why safety "alone" is productive:

You are acting like Xen is even a target. The containers are the real target.

Share and share alike.

Slashdot tools have raged against Microsoft security for years, based on flaws in third party applications.

Furthermore, you don't get to claim Android is Linux when trying to pretend your marketshare is at all significant, then claim it isn't when discussing Android's fucktarded lack of security.

Re:The point is that safety alone is not productiv

Sorry but no, his analogy was/is better than yours (just reading in to what the article suggests). That is to say that if there are flaws in the coding of Linux (manufacturing of /the hammer) that allow it to be exploited than Linus says those are important to address just like other flaws that allow Linux (the hammer) to break. As an example, rather than remotely flying the hammer around (not sure how you went there as there is no conceivable design of a hammer that would allow it to 'fly around' but...) lets say the tensile strength of the head doesn't meet the manufacturing guidelines & it can thus shatter...that should result in a 'bug fix' (recall etc.) to fix the hammer. That's not a particular 'security flaw' but it is a flaw that affects its functionality and needs to be addressed. Similarly a bug in Linux that causes it crash OR if it allows remote command & control are equally 'bad things' (Linus TM) & both must be fixed.

To make the analogy complete, in reference to the hammer, what Linus is saying is that if you redesign the head so that it's made out of soft flexible rubber/plastic in order to avoid it 'shattering' than you have entirely missed the point of the hammer to begin with. Yes it's 'safer' but it is entirely less useful as a hammer. To that extent rather than redesign the hammer the point would be to make better processes to catch flaws in manufacturing the hammer to avoid/remove the possibility of it shattering (say for instance by manufacturing the head to specifications well above it's potential 'impact force' where it may shatter).

In any case 'flying hammers' have nothing to do with this.

The Garbage Compacter Rule

[Mandrel]

He's pointing out that people like security well enough, but they want to get stuff DONE even more, and that most people will take the calculated risk to be less secure if it makes them more productive at lower costs.

Also, too much security can backfire. I call this the Garbage Compacter Rule: In Star Wars it was too difficult to shut down all the garbage compacters on the detention level, so R2-D2 just shut them all down. Similarly, when you run up against a security system that's stopping you doing what you want, but it's hard to poke a hole in it, you sometimes just "shut them all down" to get some work done. You're left with less security than if the original block wasn't there.

Linux was directly at fault for towelroot.

Where else can you lay the blame?

shell@t0ltevzw:/data/local/tmp $ ./ghettoroot /system/bin/mksh

native ghettoroot, aka cube-towel, aka towelroot

running with pid 14678

Kernel version: Linux version 3.0.31-1496113 (dpi@SWDD5710) (gcc version 4.4.3 (GCC) ) #1 SMP PREEMPT Thu May 8 01:19:38 KST 2014

Found matching device: Linux version 3.0.31-

modstring: 1337 0 1 0 4 0

[DEBUG] init_exploit:1153: function start
...

DEBUG] read_pipe:316: function exit

[DEBUG] get_root:535: YOU ARE A SCARY DEVICE

[DEBUG] write_pipe:325: dest:cc2734c0 src:40be55d0 count:24

[DEBUG] write_pipe:325: dest:e581a280 src:40be55e8 count:92

[DEBUG] write_pipe:325: dest:c586c624 src:00013010 count:4

[DEBUG] postroot:394: Going to execute custom command.

[INFO] run_custom_command:382: Going to execute: /system/bin/mksh

shell@t0ltevzw:/data/local/tmp # id

uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:kernel:s0

Re:The point is that safety alone is not productiv

[tnk1]

Using a hammer is an extremely poor and simplistic analogy. A hammer is a piece of wood and a shaped piece of metal which are kept together in some fairly simple manner.

The Linux kernel and most systems are anything but simple and can break or be broken in ways that will be impossible to see through a simple inspection. You can easily inspect a hammer to see that it is safe and in working order.

Security is about being able to assess risk and then either fix the issue or accept the risk and compensate for it. If it is fairly straightforward for the risks with the Linux kernel to be assessed and somehow compensated for, then Linus may have a point.

If, however, there is no way of adequately assessing the real risk of using the kernel, then Linux has a problem that will eventually need to be resolved and one day a catastrophe could happen that causes a sudden departure from the Linux kernel or a serious retrenchment.

Security is problematic because no one takes it seriously until there is a disaster. And when the panic starts, it is far, far too late.

Re:The point is that safety alone is not productiv

Unless it is a laptop with wake on LAN enabled. Always correct every time some of the time.

Re:The point is that safety alone is not productiv

[Jack9]

> ESPECIALLY at the so-called "top" (which is just a figment of your imagination, really)

Really it's not. See how compelling that sounds? Linus being a particularly good example of top-down security design (since his branches are the only ones that end up being used). Microsoft is another. Amazon is another. BSD, not so much. Even with cross-pollination, technology flows from clearly delineated tiers.

We get new sources, rarely, but the top-down nature of technology propogation doesn't change. There's a corollary in there about modern capitalism and those with money are those who get a message out best.

Second paragraph shows failure as a journalist

The basic function of any journalist is to get the facts straight: For Linux, the operating system that Torvalds created and named after himself ...

Which, as any Linux user should know, he did not do. It was named for him. A google for 'how linux got its name' clearly shows 'Ari Lemmke' chose the name.

Sorry journalist from the non-technical side of the world trying to drum up clicks by misunderstanding ... well, probably everything related to the article.

Security is about monitoring

Look...

You can have the stronguest safe in the world, if you leave it unmonitored, it will be robbed.

No system is safe, there are hardware,kernel,aplication,logicand human bugs. And after some time all those parts can fail.

And all those parts need monitoring. If you want a system to be secure(as in the most secure possible) you need to have somebone look at the logs, to see if ppl are attenting to breach the system.

Also, most of those security experts let their boss use their birthday as password.

Maybe 1 in 1000000 linux setups have their infrasructure with a higher level of security compared to the kernel.

The rest use 3rd party closed programs, unsafe password, exposed legacy apps, bad logic, underpayed angry workers, back dors.

And lets face it, most of IT can withstand a 1 day downtime that recovering a backup takes. The rest(banks, ISPs) can pay, and should pay, for active monitoring.

Re:The point is that safety alone is not productiv

[KGIII]

I've said a few things on the problem, I'll paraphrase.

Security is a process, not an application. The largest vector for exploits is in the chair and not in the code. Security is about knowing the risks and deciding how much risk one is willing to accept in order to accomplish their goal - there's inherent flaws in most everything and a degree of risk that is acceptable. It's a very personal, or individual, choice or a matter of policy for businesses. We can argue where those lines are best drawn but nothing, ever, is completely secure - not even an air gap is enough, if one is truly paranoid.

Finally, why is the opinion of Garrett important? Didn't he fork the kernel so that he could get away from Linus/Linux? I seem to recall that he meandered off to start Safe Space Linux, or Linux for Insecure People. I should probably check the Git to see how that's coming along...

Re:The point is that safety alone is not productiv

I wouldn't say 100%. Maybe 99.999% as I'm sure someone, possibly me, could wirelessly power it up and interface to it even if it wasn't designed to do that. Could. After doing it I'd lose interest and go ahead and make some other pointless gadget.

Ambient Authority - Spraying it all over the place

[ka9dgx]

There's no way to specify "run this task with this type of access only to this set of stuff" in Linux... which means you're giving your authority to everything you execute. Until this gets fixed... any flaw in any of the code you run can be used against you.

If you could specify authority and filter it, in a similar manner to unix pipes, you'd be able to build a database that can only take local connections, then build a read-only connection to it, then build a web page that could only connect to that and respond to requests... and finally the web server to take requests from the web and query the page.... and an outside hacker would have to pick through each layer on his way to the database... even if the code was only 99% effective, that's a 99.9999% effective block with very minimal effort.

This type of stuff doesn't have to be user-unfriendly, in fact if implemented correctly it would be fairly transparent to them.

Security

I for one welcome our unsecured overlords.

Why Linus threw hissie about network security code

See http://lkml.iu.edu/hypermail/linux/kernel/1510.3/02866.html

The programmer threw a bunch of underdocumented, experimental, non-portable gcc-compiler "features" at a basic security sensitive function, and *still does not understand* why the polymorphing "security" bloatware was rejected, with extreme prejudice.

Fuck Linus! That d-bag doesn't...

[nicoleb_x]

Seriously, that testosterone dripping asshole thinks he's GOD but if he knew security half as good as he fucking thinks he does I wouldn't have to sudo yum so often. It's fucking easy to dump on everyone else but I'm not hearing him scream sophomoric obscenities at himself for the shit security. For fuck's sake, he named it after himself, I'm surprised he hasn't engaged in Seppuku yet.

Re:Fuck Linus! That d-bag doesn't...

You sound like microsoft troll. You just go back to using microsoft.

GRsec went closed-source with it's stable patches.

GRsec went closed-source with it's stable patches. It's not a contender anymore.

Nope. GRsec went closed-source with it's stable pa

GRsec went closed-source with it's stable patches..

Closed Kernel

Yep, forked by GRsec, which now went closed-source with it's stable patches..
GPL has no teeth.

Re:Closed Kernel

It is still GPL'ed.

Just because it is GPL'ed, it doesn't mean that you have to give it to everyone.

You can legally paywall GPL code, but those that get it can redistribute it.

Re:Ambient Authority - Spraying it all over the pl

Could installing and configuring grsecurity/PAX/etc on that server achieve what you want? Or does this all have to be done within or at the kernel?

Hatchet piece

[Indigo]

Seriously, I had to double check that this wasn't from Forbes.

Re:The point is that safety alone is not productiv

Hahahaha dave420 enjoys the fine flavor of eating his words http://slashdot.org/comments.p...

Re:The point is that safety alone is not productiv

It's not that black and white at all. The OSHA-like examples of stupidity in motion don't apply here. What is present is an enormous crime effort to make money from other's computing misery. Look at what's happened, in terms of breaches, thefts, extortion, and just plain misery.

The problem starts with every coder everywhere, every sysadmin, network engineer, and web designer. The culture of security starts at the top, and here, at the Top of Linux, Linus brushes it off. These aren't nutters or nutjobs, these are the wounded, the broke/bankrupt, and those rapidly looking at systems infrastructure as if it's a joke.

Right, because the CryptoLocker shit is infecting Linux computers, and not Windows. Get a fucking clue, you moron. Linus can't fix Microsoft's decades of fucked up design.

Re:The point is that safety alone is not productiv

One has to wonder why all these security experts angry about Linux's "lacking" security are just gobbing off instead of forking the apparently highly insecure kernel and releasing their own ultra-secure version of it. Words are cheap and spouting idle buzzwords to get idiots riled up is easy, what's not so cheap or easy is to actually produce some actual work. Hell, if these lot produce a kernel that is inherently more secure than the Linux kernel while still staying usable, I'm certain the modifications will be merged with the main Linux kernel. So when can we expect this new ultra-secure kernel?

Re:The point is that safety alone is not productiv

Dave420 is always getting bitch slapped by apk. It's become a slashdot tradition.

Used sparingly? Default in Ubuntu, Fedora

[daboochmeister]

Not sure I understand the assertion that MAC is used sparingly ... e.g. Ubuntu has AppArmor on by default, with many profiles in enforcing mode out of the box (Ubuntu security docs), Fedora Core has SELinux on by default, with protection for many apps in place (Fedora Core SELinux info).

Re:The point is that safety alone is not productiv

[LKM]

Analogy with hammer is misleading. Nobody is remotely hacking your hammer and stealing your bank logins. I agree that security is a trade-off when it is about any device not connected to the Internet. As soon as you connect to the Internet, everything changes. Now security is an absolute requirement. Without security, nothing else you do matters. I don't care how great your hammer is at nailing in anything that needs nailing, as long as buying it means that I make my personal data vulnerable to attacks.

Re:The point is that safety alone is not productiv

[jbmartin6]

"Look at what's happened, in terms of breaches, thefts, extortion, and just plain misery." And how much of that was due to Linux kernel flaws? Or how much of that could be avoided by changing the Linux kernel without sacrificing all the other requirements?

Re:The point is that safety alone is not productiv

(...). It's more like if you had a hammer - all hammerlike and useful, but because of the laziness of the hammer creator, can be remotely made to fly around your workshop smashing into things by anyone wishing to make it do so.

You can't do physically impossible things. So, I agree with Linus. There's so much security you can do without degrading your performance [yeah, I'm a performance guy, who calculates risks].

Re:Ambient Authority - Spraying it all over the pl

[jbmartin6]

Interesting, is there an example of where this kind of setup has been implemented? It sounds sort of like the Android permissions model where they get applied to a specific application.

0 Days Will Sober Everyone

[HolyMonk]

Linus is detached from reality. The same philosophy was what existed before 9-11 happened. When a significant 0 day is found in the kernel that ends up being exploited globally then he will care.

One 0 Day Away From Disaster

[HolyMonk]

I think a lot of folks are missing the point that security is only exploitable through weaknesses in software. For the kernel that means that someone didn't anticipate how someone could abuse the code to subvert the security of the system. It seems to me that the same philosophy around security existed right before 9-11. All it takes is one zero day exploit to render who knows how many Linux hosts impotent just because Linus doesn't want the overhead to ensure that the kernel has the proper security measures applied.

Re:The point is that safety alone is not productiv

So we shouldn't complain about splinters on the hammer handle, or that the head is so loose that it will fly off if you use some effort? Or that the hammer is within reach of a homicidal maniac instead of being locked up?