COMPUTERS
advertisementAT&T Tech Support 360

July 17, 2008 4:02 PM PDT

Torvalds attacks IT industry 'security circus'

By Liam Tung
Special to CNET News.com
Last modified: July 18, 2008 5:30 AM PDT

  • Font size
  • Print
Torvalds attacks IT industry 'security circus'
Related Stories

OpenBSD founder makes funding plea

 March 23, 2006

Developers give OpenBSD to public

 May 1, 2003

Defense agency pulls OpenBSD funding

 April 17, 2003

A correction was made to this story. Read below for details.

Linux creator Linus Torvalds has labeled makers of the OpenBSD operating system a "bunch of masturbating monkeys," as part of a wider critique of what he said was self-centered behavior in the IT security industry.

In an e-mail to the Linux kernel developer mailing list, Torvalds said a section of the security industry was dedicated to finding bugs in software only to publicize their findings and gain notoriety.

The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up (the) security impact of bugs" by not clearly labeling them as security flaws.

Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behavior. "It makes heroes out of security people, as if the people who...fix normal bugs aren't as important," wrote Torvalds.

What was left behind for the developers were all the "boring" bugs, which Torvalds considered more important due to their volume.

"Boring normal bugs are way more important, just because there's a lot more of them," wrote Torvalds. "I don't think some spectacular security hole should be glorified or cared about as being any more 'special' than a random spectacular crash due to bad locking," he said.

The Linux leader went on to state that "security people are often the black-and-white kind of people that I can't stand."

Torvalds appeared particularly irked by the creators of the OpenBSD operating system, who have focused on security and auditing when developing their variant of Unix. OpenBSD is known to be used in high-security environments such as the U.S. Federal Bureau of Investigation.

"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything else that is also important!" Torvalds concluded.

Torvalds' comments drew various reactions from the OpenBSD developer community. In an e-mail exchange with ZDNet.co.uk, developer Ken Westerback wrote that an interest in security should lead to fixing all bugs.

"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered," wrote Westerback. "I believe that this is the bedrock principle of pursuing security--software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theater scenery."

Westerback wrote that software produced by people interested in security "probably works better in most cases because a belief in simplicity, clarity, and consistency usually produces better code than other approaches."

Developer Kjell Wooding agreed that OpenBSD coders treat bugs with equal significance.

"There is a certain irony to Linus' comment there," wrote Wooding in an e-mail to ZDNet.co.uk. "The 'a bug is a bug' principle that he is espousing is exactly the approach taken by the OpenBSD developers that I know. The OpenBSD I know doesn't concentrate on security--it concentrates on correctness."

OpenBSD developer Bob Beck told ZDNet.co.uk that Torvalds' comments showed "ignorance," as OpenBSD coders did take the approach of dealing with bugs equally.

"The comments sound like much of the usual chestbeating we are used to seeing to make all the fanboys and girls on the lists swoon," wrote Beck. "Realistically it just demonstrates an ignorance of the OpenBSD project."

Beck added that Torvalds' comments were unfortunate, in that they could encourage Linux "fanboys and girls" to not focus on code quality.

"Those sorts of unfounded statements probably contribute to the type of attitude in Linux distributions that results in them introducing spectacular bugs into software ported into their distributions from OpenBSD, such as the recent Debian vulnerabilities," wrote Beck. "To the fanboys, this says 'don't listen to security-concerned people--they're just masturbating monkeys.' Which leads to more bugs to fix."

Both Wooding and Beck took Torvalds' comments in good humor. "I don't know what Linus' beef is. He seems to be on the same page with respect to this issue. And the 'masturbating monkey' thing? Well that's just funny," wrote Wooding.

OpenBSD developer Artur Grabowski wrote on Thursday that Torvalds had been in touch with the OpenBSD community.

"I talked to Linus about this already, he was humble about it and said it didn't look like it from the outside that we shared the same view," wrote Grabowski. "We all had a laugh about it."

Liam Tung writes for ZDNet Australia. Tom Espiner, who reports for ZDNet.co.uk in London, contributed to this report.

 

Correction: This article incorrectly characterized Linus Torvalds' last response to the OpenBSD community.

See more CNET content tagged:
OpenBSD, Linus Torvalds, Linux kernel, bug, monkey

Add a Comment (Log in or register) 31 comments
by protagonistic July 17, 2008 4:43 PM PDT
Maybe Linus should get over himself and get a life.
Reply to this comment
by unknown unknown July 17, 2008 5:53 PM PDT
Technically he does have a life. He has a wife and three children and apparently is paid enough to support them. Maybe we have different definitions of a life.
by turoa76 July 17, 2008 4:52 PM PDT
Regardless of whether it was right or wrong, calling people "a bunch of masturbating monkeys" is classic, just classic.
Reply to this comment
by humanssssss July 17, 2008 5:40 PM PDT
Linus is a cool guy. He doesn't give a damn about what other thinks about his words and that's why I love him for it!!! A free man must be able to freely express his opinions without the regard to authority or anything like that. Most people look up to him as some authority figure, he himself doesn't feel that way and doesn't feel people should treat him that way. That's the cool part about his popularity, he doesn't give a damn. And when he does notice something wrong, he would acknowledge and move on. And based on the history of his work, he gets things done, unlike most people I know or have worked with.
Reply to this comment
by WJeansonne July 18, 2008 7:41 AM PDT
Yes, he doesn't give a damn now, but he will soon enough once major Linux security flaws are announced more often. He'll quickly see how so-called "secure" OS go down in flames and I just have to laugh. First, it was one of the biggest lies perpetrated on the industry touting Linux as "free", and then the spin that it was far more secure than Windows and Solaris. What a joke.
by Penguinisto July 18, 2008 8:45 AM PDT
They've been saying that for well over a decade now, my dear MSFT Troll... the last one of any consequence at all died off in 2001. How's Windows doing by comparison? ;)
by Fil0403 July 19, 2008 4:50 AM PDT
@ Penguinisto: You've also been predicting Windows downfall and Linux explosion/market dominance for well over a decade now, my dear Linux Troll... The last time Windows had less than 90% market share was also well more than a decade ago. How's Linux doing by comparison? ;)
by Orion Blastar July 17, 2008 5:50 PM PDT
You got to love Linus Torvalds. Anything that isn't Linux, he makes fun of and uses personal attacks on. He once called Mac OSX as "crap" when Steve Jobs offered him a job at debugging the MACH kernel. I forget what he called Windows, but then all of the Linux Fanboys already use personal attacks on Windows and Bill Gates so much that I forgot what Linus Torvalds's original words on Windows even was. Now he is attacking OpenBSD. I think at one time he attacked GNOME or KDE developers. They don't call Linus Torvalds the Benevolent Dictator for nothing, he really lives up to his name.
Reply to this comment
by Penguinisto July 18, 2008 7:19 AM PDT
The real funny part is, he actually uses solid, technical reasons to back up his claims. More than I can say for half the jokers in this joint. :)
by Fil0403 July 19, 2008 4:57 AM PDT
@ Penguinisto: Yeah, because there is nothing more solid and technical than calling people "a bunch of masturbating monkeys" because they care "too much" about security. But yeah, I gotta agree that, notwithstanding that, he (still) manages to back up his claims better than most "jokers in this joint" (the name "Penguinisto" suddenly comes to my mind, I'm not really sure why). :)
by ferretboy88 July 17, 2008 7:21 PM PDT
Linus said in an interview that his own mother and sister still use windows instead of linux. Thats pretty sad when your own mother doesn't even stand behind you.
Reply to this comment
by Magallanes July 17, 2008 7:45 PM PDT
The shoesmaker's son always goes barefoot.
by groink_hi July 18, 2008 12:57 AM PDT
That's not the first time a family member has turned against another's product. Back in the 1980s, Bill Gates' father's law firm used only WordPerfect for word processing. Bill reportedly walked into the office and started whining about why everyone there isn't using Microsoft Word. One of the lawyers then told Bill the faults of Word, such as it didn't handle templates well (templates were very VERY important among legal eagles.)
by Fil0403 July 19, 2008 5:01 AM PDT
@ Magallanes: Well said, Linus is apparently the black sheep of the family.

@ groink_hi: It would be interesting to check what these people are using today (WordPerfect or Word), because Linux mother still uses Windows, LOL.
by julesthejackal July 17, 2008 7:52 PM PDT
Linus always speaks his mind and he does not really care who he insults with his comments. He would not make such a bold comment if there was not any truth to it....lol.
Reply to this comment
by Magallanes July 17, 2008 7:54 PM PDT
I agreed (this time) with torvals about the security circus. Security currently moves a lot of gazillion of dollars, you can find antivirus, antispywares, security advisor and several other services. You can be amazed to find antivirus not just for windows, also for linux (and not only email scanner), bsd and even for osx, pda and cellphone (for cellphone there are more antivirus that virus).

Also, about the latest "high security breach", some are too bizarre and happens in rare and specific cases, other will required to have access to a pc and other are simply nothing.

Anyways BSD can be more secure rather Linux but lack on several function and performance, not to say a community and several application, so it's not rare to find that linux is way more popular in comparison with bsd (with the exception of osx).
Reply to this comment
by MSSlayer July 18, 2008 11:48 AM PDT
There is a difference between security applications and programming with security in mind. They latter usually doesn't lead to needing the former.
by Fil0403 July 19, 2008 5:13 AM PDT
The assumption in your comment that Linux, BSD, OSX, PDA's and cellphones are 100% secure to the point of being ridiculous the existance of security software for those platforms is a typical ignorant Linux/Mac fanboy assumption.

@ MSSlayer: OMG, bye-bye Symantec and the whole security applications industry, it's as easy as "programming with security in mind", how could people not have thought of that before, forget about the error-prone nature of the human being, we have a new Isaac Newton, his name is MSSlayer.
by Penguinisto July 18, 2008 7:23 AM PDT
To be honest - he's right. A bug is a bug is a bug. You can have the absolute most secure application on the planet with zero security bugs... but if it crashes every two minutes, it wouldn't be worth much, would it?
Reply to this comment
by mabradford July 18, 2008 8:50 AM PDT
I think Linus (Peanuts) Torvalds has just as much right to blast some monkey for masturbating on the planet as anyone else. Do any of you really know where the rock we call Planet Earth came from? where it's going? your origins? the god you claim - can you really see it walk in a bowling alley? Well, if you can't prove any of these - then who are you? You are just some masturbating monkey jumping around on the rock throwing crap at Peanuts -- and you have that right and as long as I'm alive - I'll strive to protect that right. So keep up the good work of masturbating and being a monkey and you all keep throwing crap at each other. By the way - OpenBSD works really well for a few things - but, unlike Mandriva or Ubuntu or Vista - you can't do much else with it. It should be used only in Security situations such as a Firewall and Proxy or PBX. It's good for that - not much else. Oh - and you can type letters with it. :)
Here's to a bunch of masturbating monkeys being free.
Let's stay that way.
Miles
Reply to this comment
by meystel July 18, 2008 10:37 AM PDT
There is no question that security people are typically black and white, don't like to think outside the box, and are, as a rule, difficult to tolerate. Go Linus!
Reply to this comment
by MSSlayer July 18, 2008 11:49 AM PDT
It is because they have to deal with idiots on a daily basis who give no thought to security.
by M C July 18, 2008 1:17 PM PDT
Go Linus!

Of course, 90% of CNet's click bait consists of reprinted security press releases, so I don't expect them to side editorially with him.
Reply to this comment
by johnnyincentx July 18, 2008 6:25 PM PDT
This reminds me a of saying I heard ages ago that made NO sense at all, for it seemed to contradict smart common sense. It was "consistency is the hobgoblin of little minds."
I think that is the source of Torvald's frustration.

Forcing him to treat every "potential" security issue equally is as idiotic as treating every risk we face equally.

In everyday life people use "risk assessment" automatically to decide how to prioritize various risks we face daily.

That "common sense" should be used for security issues as well.

Just becuase one exists, does NOT mean it will be exploited.

If it is exploited, it does not mean it will be able to be used in a truly harmful way.

If it is exploited, it could happen literally years from the date the issue developed.

To demand all issues be treated with a simple-minded, paranoid ASAP mentality means valuable creative energy which is always in short-supply is being used up to solve issues that are NOT a threat, and may never be a threat.

I think someone like TOrvalds is smart enough to know even better than the security marketeers how likely and how quickly an issue is going to develop into a "threat."

Now true everyone needs some checks, but Torvalds is right.

Not every security threat is equal, and treating them as such wastes valuable time and effort of such men.

If we lived every day life like that, no one would ever get out of bed, no one would ever drive a car.

The threat from merely walking to the bathroom and dying from an accidental fall, or dying in a car accident is probably 1000x of times more likely than the threats Torvalds is referring to morphing into something truly serious.

So he's right 100%
Reply to this comment
by Fil0403 July 19, 2008 6:33 AM PDT
IMHO your last sentence ruins your post, and is also a typical attitude of Linux/Mac fanboys, to whom anything that is Linux/Mac is perfect, and anything that is even remotely connected to Microsoft sucks big time.
by July 18, 2008 8:51 PM PDT
It's those "masturbating monkeys" that keep the code writers honest. Every time they reveal a problem, and who cares what's motivating them (maybe the same thing that is motivating those moneys) someone somewhere digs into lines of code and looks for a fix. I'm glad they are there keeping a watch for the rest of us. The bad guys are also looking for the holes and you can bet your money (which the bad guys are probably stealing from you) aren't going to go public with what they've learned.
Reply to this comment
by zae3Ph July 18, 2008 11:26 PM PDT
What was asked of Linus was utterly trivial. It was adding some release notes.

Debian does this. They ship security fixes pronto, and tell you what exploit was closed.

Puerile potty mouth makes both Linus and Linux unattractive. It reinforces the impression of a hacker's playground, not something you really want to use.

His latest silliness has pushed even *me* to look at BSD as a refuge of sanity.

I've been through enough Linux disasters. Forget security bugs, you're lucky if the last released kernel doesn't crash. Only after about 10 patches does it begin to feel stable. That Linus can't see something wrong says volumes.

So I am looking at BSD. OpenBSD has a structured engineering flow with code reviews.

Of course the problem with BSD flavors is hardware drivers. But when I look back over years lost to Linux drivers and kernel configs to make hardware work, I realize it would be less time consuming to roll my own drivers for BSD or OpenSolaris.
Reply to this comment
by Fil0403 July 19, 2008 6:40 AM PDT
After reading this article and the comments here, I feel like asking "Security vulnerabilities?! Pacthes?! Linux crashing?! What happened, I thought Linux was perfect, 100% secure, stable and reliable, and never crashed and Windows was the only OS that crashed and had security vulnerabilties?!" :-S What next? Mac OS X also has security vulnerabilities and also crashes?! LOL.
Reply to this comment
by TomMariner July 19, 2008 8:11 AM PDT
Agree with Linus overall -- Those who glorify themselves by posting what causes securtiy bugs so that the bad guys can take advantage of them are actually in league with the criminals. Better Internet citizenship could be shown by private communications with the offending company, waiting a decent amount of time, then publicizing. While there should be no reward for ignoring warnings, there also should be no fame for those who facilitate on-line crime.

I live in a world of rewarding bad behavior -- It is incredibly destructive and stops all useful progress dead in its tracks. Unfortunately the only cure is to hope that those in charge recognize the damage before the organization dies.
Reply to this comment
by ethana2 July 19, 2008 9:32 AM PDT
Who cares what Linus thinks?

"I'm a bastard. I have absolutely no clue why people can ever think otherwise. Yet they do. People think I'm a nice guy, and the fact is that I'm a scheming, conniving bastard who doesn't care for any hurt feelings or lost hours of work, if it just results in what I consider to be a better system. And I'm not just saying that. I'm really not a very nice person. I can say "I don't care" with a straight face, and really mean it."

* Torvalds, Linus (2000-09-06). Message to linux-kernel mailing list. Retrieved on 2007-05-28.

Just use what's best. Right now, that's linux. So what if the dude's a jerk? Just because Reiser was a crazy freak who killed his wife doesn't mean he didn't make a good file system, dangit!
Reply to this comment
by thedreaming July 28, 2008 12:54 PM PDT
I've never understood why so called "security experts" tell the whole universe about a security flaw they found. Doesn't it make sense to quietly contact the responsible people and simply tell them, "Excuse me, I found a flaw in your program. It is located here." This way the responsible party can fix the flaw quickly without worry that someone will try to exploit it before they can patch it.
Reply to this comment
 See all 31 Comments >>
advertisement

Latest tech news headlines

Resource center from CNET News sponsors
Business. Ready.
Sony VAIO® Professional PCs.

Click Here!
A new grade in mobility demands a new kind of notebook. And Sony delivers.Tough, portable and featuring up to 7.5 hours of battery life! VAIO® Professional notebooks are built for business. Learn more.

Click Here!
Built tough for business.

Learn more about the rigorous quality testing Sony puts its notebooks through.

Protect your investment.

Find out why VAIO® tech support recently won a Laptop Editors' Choice Award, July 2008.

Long battery life.

Up to 7.5 hours of battery life! See how VAIO® PCs will keep you productive longer when on the road.

Travel light

Check out our ultraportable line-up, starting at 2.87 lbs.

PCs for every need.

Find out which VAIO® notebook is right for you.

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Dow Jones Industrials (2.05%) 172.60 8,591.69
S&P 500 (2.58%) 21.93 870.74
NASDAQ (2.94%) 42.58 1,492.38
CNET TECH (2.68%) 28.16 1,079.28
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET