LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

KS2010: Security

KS2010: Security

Posted Nov 5, 2010 9:37 UTC (Fri) by dlang (✭ supporter ✭, #313)
In reply to: KS2010: Security by mingo
Parent article: KS2010: Security

quote: Have you considered the theoretical possibility that Linus honestly believes that the 'security circus' stock full of parasitic poseurs exists?

as someone who makes a living in the security field, I can assure you that there is plenty of security circus and the field has a huge number of parasitic poseurs in it. anyone who doesn't believe this, please explain current airport security in real cost/risk terms.

there are also a lot of us who are just trying to keep ahead of the bad guys and explain the problems to management, unfortunantly we have a hard task to do and it isn't nearly as appealing as the marketing security circus to management who doesn't understand the technology at all

(Log in to post comments)

KS2010: Security

Posted Nov 5, 2010 10:26 UTC (Fri) by mingo (subscriber, #31122) [Link]

there are also a lot of us who are just trying to keep ahead of the bad guys and explain the problems to management

Yeah. And i think you can consider Linus one of your best allies in that quest really. (He just refuses to play the circus - and IMHO he has rather good and consistent arguments for that.)

KS2010: Security

Posted Nov 5, 2010 11:24 UTC (Fri) by ortalo (subscriber, #4654) [Link]

Héhé, I hope he has seen that nice recommendation!

More seriously, that "circus" issue is really an annoying one and very deeply rooted in the field, I second that. Furthermore, from my own experience (subjective of course), I have to admit that most people with some responsibility (the "bosses") tend to be much more attentive to legal or marketing reasons than to practical/technical ones, from the security-oriented point of view. I am sure even Linus (or myself) can also feel this natural bias. This seems to me the fundamental reason why such theatral activity can exist and persist. And while the circus plays and attract attention in the forefront, technical problems and vulnerabilities bury themselves deeply in the code where they can stay for years and users opportunistically take advantage of the low light to write their passwords on a sheet of paper they "hide" in their wallet.
I have yet to fully understand the reasons for the long lasting existence of all this useless drama. But to me, it seems that this security circus is indeed a reality that we will need to cope with for a long time (from an historical persepctive, it may be that it fades away behind actual action in war times, but that's not a good reason to drop general pacifism... ;-).

So that refusal from the top-level kernel maintainer to play in the security circus sounds as an overall good news to me; but then, how does he want to play the security game (to get practical and continuous improvements to the overall security level of the kernel)?

Note: I certainly have a lot of ideas to propose on this topic: I've just deleted a lot of lines in this comment (the most interesting ones were probably associated to applying Coccinelle to identify missing "consts").
However, the very only comment I want to make is: then, how does Linus want to improve security management of the kernel (assuming he thinks improvements are possible)?

KS2010: Security

Posted Nov 5, 2010 15:09 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

the key thing her eis that the kernel developers are fixing security bugs, they are fixing them just like all other bugs, as fast as they can find them and figure them out.

and they think that they are doing a pretty good job, and don't see a reason to make significant changes.

KS2010: Security

Posted Nov 5, 2010 12:51 UTC (Fri) by spender (subscriber, #23067) [Link]

Can you elaborate on how TSA and the airline industry prevent the Linux kernel developers from developing even rudimentary security measures?

-Brad

KS2010: Security

Posted Nov 5, 2010 14:10 UTC (Fri) by Lionel_Debroux (subscriber, #30014) [Link]

I feel that this rhetorical question may sway the discussion, not good ;-)

KS2010: Security

Posted Nov 5, 2010 15:20 UTC (Fri) by spender (subscriber, #23067) [Link]

Which is the point. The entire 'security circus' business is an excuse to avoid the real issues here. Phrased differently, what does 'security circus' have to do with upstream improving the security of their own kernel?

The answer is: "nothing." So why is it brought up so much when it's completely irrelevant to any kind of discussion we're having here?

I can think of a million better questions, like "what is Linux doing to attract security talent for mainline work instead of pushing away potential contributors?" or "Linux is used on millions of systems; why isn't there a single person employed full-time to improve upstream kernel security?" or "How can we move away from the find bug/patch bug mindset/approach to security?"

But it says a lot about an individual and their view toward security when the most useful thing they can muster is some regurgitated crap about "security circus" as if they're saying something insightful or intelligent.

-Brad

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds