Security Problems Are Primarily Just Bugs, Linus Torvalds Says

Linus Torvalds, in his signature voice: Some security people have scoffed at me when I say that security problems are primarily "just bugs." Those security people are f*cking morons. Because honestly, the kind of security person who doesn't accept that security problems are primarily just bugs, I don't want to work with. Security firm Errata Security has defended Linus's point of view.

They're bugs, unless they're not

[DontBeAMoran]

Security by obscurity, government backdoors, etc. Those are not bugs.

Re: True, but.

Theyâ(TM)re usually someone passing unescaped user data to an sql query. So the end user is able to break out of a string and change the functionality of the query. Incredibly basic stuff.

Re:Security problems are NOT just bugs

[hey!]

Well, I certainly wouldn't want to endorse Torvalds' attitude here. But you encounter it, minus the armor of overwhelming fame, all the time when you work with multiple groups of stakeholders. As a system designer a lot of what you do when you develop system requirements is make localized concerns globally visible. But there are always people who don't see the needs of other users as important, and depending on how they're situated they can create a lot of grief.

People actually confuse "objective" and "subjective". I actually had a client once who even used those terms: we should focus on what's "objectively" important, by which he meant things that seemed obviously important to him. Things that were important to other stakeholders were "subjective" concerns. People do that a lot more than they realize, even if they don't use those terms. What's rare is having enough status to be an asshole about it.

Re: True, but.

[darkain]

Name some interpreted serialization formats that don't.

Linus is back :)

[phil42]

it is great to see that "kinder gentler Linus" has gone away and good old "kick 'em in the ass Linus" is back.

Linus' outrageous remarks serve kernel development well