Tuesday, July 22, 2008

Linus Torvalds on Security

Linus Torvalds doesn't get it... or does he?

What?... Linus Torvalds (yes, the guy that "invented Linux") has this post off the gmane.linux.kernel newsgroup, which appears to be a rant against security people and the bugs which keep us employed and the world a darker place. Read that article again, and then take it into context - he's writing about kernel issues here.

Fortify (although I don't always agree with their tools and methods) is out there saying that caution should be undertaken before deploying Open-Source tools in the enterprise, and this guy is out there saying that security is no more important than a random crash. I admit, the first time I read that I was furious, and really wanted to tear him a new one for being so idiotic... but then I thought about it more.

Since Linus is speaking in the context of kernel development it has to be assumed he's talking about catastrophic crashes that can take down a *business* potentially when random evil things happen in an enterprise installation of Linux. I understand that a non-security bug can cause very serious damage to a business too... but come on, are you seriously comparing it to a major flaw in the code which can pwn a server, a database, or an entire enterprise?

Obviously. Let me further expand.

Linus - I honestly don't know what to think after this statement... as I don't think the security profession "encourages the wrong behavior"...
"...one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior."
While I don't agree that security people aren't "heroes" ... I can see how ordinary bug-hunters that aren't security bugs are just as important and should receive just as much notariety, so the following quote annoys me a little.
"It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important."
Yes, every bug is important - but the ones that are security bugs can cause (and here's the key) stealthy financial losses to the tune of billions. If a server crashes, odds are you or your business will notice immediately, if it's important enough. If a server is hacked and funds or transactions are being ciphened off... you'll likely never know because of the nature of a security bug. Before you even reach for the comment button - yes - I do accept that there are things like rounding bugs or errors in code that would otherwise silently pilfer money in an indirect way such as performance bugs or calculation bugs... but that's much less likely (by my calculations and experience, anyway). Let's move on.
"In fact, all the boring normal bugs are _way_ more important, just because here's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking."
OK - now he's just talking out his behind. I couldn't possibly disagree more, and not just because I've dedicated my career to security.

What strikes true here with me, and it's something that I've been saying for a long time, is the following quote. Read and re-read it... see if it catches you the same way it caught me.
"Security people are often the black-and-white kind of people that I can't stand."
Fascinating. I actually agree with Linus here, partially. I say partially because there is a large wave of us that are working our tails off helping to strike a balance between the "security" and "business" aspects of what we do. We're working very hard to eliminate this notion that we see in black and white - but maybe we're not doing enough or the message isn't getting out there fast enough. This is perhaps the one thing in this post from Linus that makes me think that we as security practitioners have a long way to go before we're fully accepted into the IT/business world without yelling about the sky falling.

As a final note, Linus drops this nugget of his wisdom which I have been thinking about, but unfortunately still can't find a way to agree with.
"To me, security is important. But it's no less important than everything *else* that is also important!"
I suspect it's because of the slant I have being from this industry, or maybe something else in me... but security is and should be at the top of the list. Now... granted that without "functionality" being good all the security in the world is stupid.

As I've always said... "If it don't work, what's there to secure?"


Anonymous said...

Lots of software development is about taking input to output according to some functionality.

If "bad input" gets processed a security hole can result.

If the "functionality" doesn't make clear what is bad input and what is good input, there is a problem. One would say that the functionality hasn't been thought through.

If what makes input bad is complicated, then software becomes unusable in the sense that some programmer might see mostly good results. If they don't have a complete picture, some way of "using it" leads to unexpected results.

I think Linus is concerned with the "thinking through" part, and making sure that programmers get the "complete picture" while the functionality is well-defined.

Wouldn't you agree that that is his role in the project?

Rafal Los said...

I do which is why I didn't just go on a tear against his comments...

But for Linus to make nasty comments against security folks... is just plain irresponsible and demonstrates his ignorance (or poor articulation of his position).