I saw a link in my feeds list this morning about Linus Torvalds’ “opinion on BSD.” The link went to a small article that concentrated on one small quote from a posting in which Linus dismissed the focus on security at the expense of other bugs.
Security people are often the black-and-white kind of people that I can’t stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.
Certainly interesting and colorful fodder for discussion on many levels. It’s lost, though, in the context of an important discussion about security.
It comes in a discussion about transparency of the way Linux developers handle security issues. The person to whom Linus was replying is a security specialist who releases the grsecurity patches and PaX, which is a kernel-level security implementation that restricts address space read-write access. In recent months, grsecurity has taken the position that Linux developers “hide” too much when releasing security updates; the concerns about issues in kernel 2.6 have led grsecurity to advise against using 2.6 if possible:
Due to Linux kernel developers continuing to silently fix exploitable bugs (in particular, trivially exploitable NULL ptr dereference bugs continue to be fixed without any mention of their security implications) we continue to suggest that the 2.6 kernels be avoided if possible.
It is not clear if the PaX Team will be able to continue supporting future versions of the 2.6 kernels, given their rapid rate of release and the incredible amount of work that goes into porting such a low-level enhancement to the kernel (especially now in view of the reworking of the i386/x86-64 trees). It may be necessary that grsecurity instead track the Ubuntu LTS kernel so that users can have a stable kernel with up-to-date security fixes. I will update this page when a final decision has been reached.
I think what’s more interesting — and disturbing — in the whole discussion isn’t Linus’ likening OpenBSD developers to “masturbating monkeys” but rather his view that all bugs are equal.
While it may be a hassle to have quirky or erratic behavior because of a particular poorly-written module, it pales in comparison to vulnerabilities allowing remote or local system compromise. Speaking of comparisons, here’s the same historical data as in the two previous links for OpenBSD 3.x, OpenBSD 4.0, OpenBSD 4.1, and OpenBSD 4.2 — not exactly apples-to-apples since BSDs are a bit more than a kernel.
This isn’t immediately about protecting the kind of twats who play with desktop root-only distros like Puppy (separate issue aggravated by sloppy permissions abuse and the ridiculous belief that they’re invincible because they’re not using Windows) because such isn’t the most lucrative market for Linux. It could have grave consequences for enterprise users, including government agencies, with sensitive information to protect. You may not care if someone on your network can cause a DoS or if pictures of your kittens are pilfered, but you should care if your Social Security number or health information is easily accessible to those who shouldn’t be able to access it. It can very adversely affect your privacy and your future. And you should care if you run servers and they’ve been herded for criminal activities (such as to manage a “kennel” of a botnet of Puppy machines).
I accept and appreciate Linus’ point that all bugs are serious and that everyone who fixes a bug is deserving of praise. I disagree, though, that having eyes focused on security is a hindrance to getting “smaller” issues resolved. That certainly hasn’t been the experience in OpenBSD, whose developers have on more than one occasion been months ahead of the curve on all manner of bugs plaguing other operating systems (including Linux). OpenBSD’s strict coding practices are set in place specifically to make auditing code for all bugs easier.
Security is generally only as strong as the weakest link: the user. You can have a tight operating system like OpenBSD and open it all up so that it’s insecure. Or you can take an “insecure” OS and tighten it up so that it’s very safe. That’s why I roll my eyes when I read some gullible fool prating about being more secure with Linux than Windows, whether it’s a Puppy user (root only and usually running very vulnerable software) or the guy who boasted about running DSL in QEMU in Windows at Internet cafes or someone who doesn’t realize his fresh install of ___ (whatever distro) has several processes running that expose him to the world. That’s all what users do with what they’re given. Users can be responsible or irresponsible with it.
Developers can make it easier or more difficult to keep systems secure. It’s disconcerting that Linus would be so dismissive of the attention security gets. In that same thread, the person to whom he made the “masturbating monkeys” comment pointed out that other Linux developers have leveled the same complaints about the nature of security issues and the lack of disclosure in addressing them. He linked to one of Willy Tarreau’s (Tarreau is now the 2.4 maintainer) comments on LKML:
I don’t like obfuscation at all WRT security issues, it does far more
harm than good because it reduces the probability to get them picked
and fixed by users, maintainers, distro packagers, etc…
What’s really worse, being likened to “masturbating monkeys” or being called an obfuscator when it comes to the way security issues are handled? And what of all the Linux advocacy that mentions open source being inherently more secure because it’s “open”?
Maybe that’s not really a selling point after all.
(Edited to include Secunia links for comparison purposes.)