Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Problems Are Primarily Just Bugs, Linus Torvalds Says (iu.edu)

Posted by msmash on from the things-Linus-says dept.

Linus Torvalds, in his signature voice: Some security people have scoffed at me when I say that security problems are primarily "just bugs." Those security people are f*cking morons. Because honestly, the kind of security person who doesn't accept that security problems are primarily just bugs, I don't want to work with. Security firm Errata Security has defended Linus's point of view.

8 of 272 comments (clear)

  1. They're bugs, unless they're not by DontBeAMoran · · Score: 4, Insightful

    Security by obscurity, government backdoors, etc. Those are not bugs.

    --
    #DeleteFacebook
    1. Re:They're bugs, unless they're not by Anonymous Coward · · Score: 1, Insightful

      Maybe not code bugs per say, but clearly the release/review process has some bugs in it if you are able to get those things into production code.

  2. Security problems are NOT just bugs by sinij · · Score: 1, Insightful

    He is demonstrably wrong. True, some security problems are bugs, but there are also security problems that are bad design choices, that are misconfigurations, that are counting use of old technology (e.g. RSA 1024), that are poor use cases (nobody follows policy, because it is too complex and/or convoluted). You can't secure systems with just code reviews and patching. No way, no how.

    1. Re:Security problems are NOT just bugs by hey! · · Score: 3, Insightful

      Well, I certainly wouldn't want to endorse Torvalds' attitude here. But you encounter it, minus the armor of overwhelming fame, all the time when you work with multiple groups of stakeholders. As a system designer a lot of what you do when you develop system requirements is make localized concerns globally visible. But there are always people who don't see the needs of other users as important, and depending on how they're situated they can create a lot of grief.

      People actually confuse "objective" and "subjective". I actually had a client once who even used those terms: we should focus on what's "objectively" important, by which he meant things that seemed obviously important to him. Things that were important to other stakeholders were "subjective" concerns. People do that a lot more than they realize, even if they don't use those terms. What's rare is having enough status to be an asshole about it.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  3. Re: True, but. by Anonymous Coward · · Score: 2, Insightful

    Theyâ(TM)re usually someone passing unescaped user data to an sql query. So the end user is able to break out of a string and change the functionality of the query. Incredibly basic stuff.

  4. All data security is through obscurity by sjbe · · Score: 1, Insightful

    Security by obscurity

    All data security is essentially security through obscurity. Vault combinations, cryptography, keys, etc are all rely on various forms of information that is not widely known. The security comes through obscure information. Now there are forms of "security" through obscurity which are trivial to figure out and thus effectively worthless but even the most robust cryptography is still security through obscurity at its core.

  5. Re: True, but. by darkain · · Score: 3, Insightful

    Name some interpreted serialization formats that don't.

  6. Linus is back :) by phil42 · · Score: 2, Insightful

    it is great to see that "kinder gentler Linus" has gone away and good old "kick 'em in the ass Linus" is back.

    Linus' outrageous remarks serve kernel development well