back to article Buggy? Angry? LET IT ALL OUT says Linus Torvalds

Linux overlord Linus Torvalds has articulated views on security at Linux.conf.au, and seems to be closer to Google's way of thinking than Microsoft's. Torvalds, along with Debian luminary Bdale Garbee, Samba man Andrew Tridgell, and kernel coder Rusty Russell spent an hour answering conference attendees' questions last week. …

Page:

  1. Anonymous Coward
    Anonymous Coward

    How do you think "script kiddies" manage to hack places? using scripts. Such scripts are drawn up using all the disclosures about bugs.

    1. Magnus_Pym

      How do you think 'script kiddies' get away with it for so long

      just because you don't know about the flaw doesn't mean no-one does.

      1. admiraljkb

        Re: How do you think 'script kiddies' get away with it for so long

        >>just because you don't know about the flaw doesn't mean no-one does.

        @Magnus_Pym is quite correct. In the current era of a menagerie of criminal groups, government agencies (globally, pick a country, any country), and others like hacktivist groups, there are a LOT of flaws that are undisclosed, already found and WAITING for the right time to exploit. This isn't the good old days with a solitary kid in his basement hacking away for the lulz of it, its now serious business. Responsible/timely disclosure should be mandatory, because other people probably already know about the vulnerability and are holding the exploit for it in reserve until the "time is right".

    2. David Dawson

      No, the one does not follow the other.

      Hacking tools are built by clever devs, yes. They are sometimes picked up by script kiddies, sure. Where the vulnerability information they are based on comes from is an open question.

      There are established market places for information like this, which wouldn't be the case if it all came from public disclosure reports. It seems likely that a goodly proportion of the data publicly disclosed is actually being rediscovered by legitimate researchers, and is in use already as an attack vector.

      Publicly disclosing ASAP in those cases is essential.

      Part of the problem is that it's very often unclear when those cases are, hence some in the industry leaning towards general disclosure (as Google and Linus promote), and others leaning towards selective disclosure.

      1. Roland6 Silver badge

        >"There are established market places for information like this, which wouldn't be the case if it all came from public disclosure reports."

        I think the main effect of encouraging quicker public disclosure will be to reduce the value of a known loop hole. With companies quietly sitting on bugs, they create a blackmarket for known exploits: So if I were to discover a vulnerability, it is probably in my interest to sell it on the blackmarket and the longer the bug goes unfixed the greater (hopefully) my return.

        With public disclosure however, we significantly increase the exposure of a bug, making it much easier for "script kiddies" to hack something together "for a laugh" (remember the early PC virus's?).

        Additionally, just as we've seen with services such as Virus Central, a public list permits the holder of an exploit to firstly assess whether anyone else has discovered the exploit and secondly to track it's closure; knowing these contributed to the value and hence price placed on an exploit.

        Whilst the effects of this might be to make major companies such as MS et al. to be more pro-active on fixing bugs, I suspect a knock-on effect will be both an increase in price and a reduction in the current included service level, due to the additional costs being incurred in maintenance and support.

        So I think that we need to be sure that bugs are 'publicly' disclosed in a way that facilitates their distribution to those who wish to guard us against their exploitation and those who will ulitmately fix the bug itself, but discourages/minimises disclosure to those who wish to exploit the bug.

      2. Anonymous Coward
        Anonymous Coward

        If anyone wonders why Linux is not taken seriously in the corporate world you just need to look at the tie die T-shirt and sandal wearing proponent of the OS in this vid.

        Linux - The OS of the 1960's.

        1. Doctor Syntax Silver badge

          " look at the tie die"

          Really! Professional shills ought at least to be literate. The correct spelling is "dye".

          1. admiraljkb
            Joke

            " look at the tie die"

            >> Really! Professional shills ought at least to be literate. The correct spelling is "dye".

            It might have been "Deutchlish" - then it would translate to "tie the shirt" ? If that is the case, they might have a point. Tied shirts like those worn by Daisy Duke and other backwoods beautys would be unprofessional in the workplace. Not that I've seen a Linux using Daisy Duke in IT yet.... *sigh* hehe

    3. SolidSquid

      True, but generally either those bugs have been patched and the scripts only effect older versions, the disclosure was done on the darknet rather than publically (so the developers aren't aware of the issue) or it was disclosed to the company first then publicly and the developers have decided it was't a big enough issue to be worth patching.

      Public disclosure of a bug is a pretty small proportion of automated scripts, which tend to favour detecting and exploiting known existing bugs which just might not have had the patches installed yet and using that to get access to the server, and an internal IP for the network to access other systems (like the Sony server hacks back when Geohot was sued, the boxes used for entry hadn't been patched in years despite fixes for the bugs the hackers exploited having been released for some time)

      1. jake Silver badge

        @SolidSquid

        "on the darknet"

        There is no "darknet". That meme was generated by computer illiterate journalists. Probably after hearing about "dark fiber", which by definition isn't really important in this kind of discussion.

        1. chivo243 Silver badge

          Re: @SolidSquid

          @ Jake

          There may not be a "darknet" but there are some dark alleys of the internet I'd rather not enter...

        2. Anonymous Coward
          Anonymous Coward

          Re: @SolidSquid

          Google "goatse" and tell me there is no darknet

        3. lambda_beta
          Linux

          Re: @SolidSquid

          Illiterate journalists mean dark matter, which everone knows is the force behind skynet. Dark fiber is the outcome of brown barley consumed in enormous quantities.

        4. Tom 13

          Re: "on the darknet"

          I'd be more inclined to think it was a cyberpunk author. Given we all know what it means, it is now a good and useful word.

          1. Michael Wojcik Silver badge

            Re: "on the darknet"

            Given we all know what it means,

            The premise is false. I have no idea what "darknet" is supposed to mean, beyond "ooh, scary people have network connections".

            it is now a good and useful word.

            And even if the premise were true, I reject that enthymeme. Common meaning is not sufficient to make a word useful, except in the degenerate sense of "has some possible use". If it doesn't add some novel and productive connotation or rhetorical effect to the vocabulary, why is it useful in any practical sense?

            (In this context, "good" is meaningless, so I'll ignore it.)

            1. Daniel B.

              Re: "on the darknet"

              The premise is false. I have no idea what "darknet" is supposed to mean, beyond "ooh, scary people have network connections".

              It usually refers to hidden networks that allow connected users to remain anonymous, like Tor or Darknet (yes, there's an actual "darknet" called Darknet).

    4. Tom 7

      The best way to find flaws is to use the methods that should be used in testing in the first place: take part of an API and fire shit at it until it fails in a way you can take advantage of. Twenty years ago this was almost pointless but now you can exercise an interface with several tens of million different bits of crap in a second - a lot easier than reading the source code.

      1. Michael Wojcik Silver badge

        The best way to find flaws is to use the methods that should be used in testing in the first place: take part of an API and fire shit at it until it fails in a way you can take advantage of. Twenty years ago this was almost pointless but now you can exercise an interface with several tens of million different bits of crap in a second - a lot easier than reading the source code.

        Fuzzing and other forms of black-box testing are certainly important, but there's no justification for calling them the "best way to find flaws". That's simply wrong.

        Historically, many important vulnerabilities that were discovered by other means - whether that's reading source code, manipulating multiple documented interfaces, or whatever - could not possibly have been discovered by fuzzing, because they require manipulating multiple vulnerabilities in ways that combinatorial explosion puts far beyond the reach of (pseudo-)random brute force. Tavis Ormandy's #GP Trap Handler exploit for Windows is a good example.

        Analytically, it ought to be obvious that there can't be a "best" method of security analysis in any absolute sense, because requirements are situational. If I'm testing the part of my threat model that involves someone breaking into a data center and physically stealing drives, fuzzing APIs isn't going to do me a damn bit of good.

        Many people want to condense IT security down to some simple set of rules. Ain't gonna happen. Complicated systems are complicated.

    5. Lee D Silver badge

      If someone, anyone, a security researcher or some kid downloading something from the Internet, is able to tweak a setting and compromise a system... it DOES NOT MATTER the origin of that information. There are entire markets with 0-day flaws, there are flaws floating about IRC channels and Usenet, there are pre-built hacking tools just ready to download and craft your own version of any particular exploit.

      The fix is not to pretend the flaw doesn't exist, couldn't be found by someone else, etc. It's to patch it. As soon as you can. As well as you can. Rather than bury your head in the sand.

      And "testing" some of those patches is almost not necessary - the fixes are so simple as to be auditable quite quickly and only in very isolated components that serve one particular task.

      Take the OpenSSL flaws. Some of those were hinted at and reported. When I looked through the OpenSSL code, it was a mess, but anyone with time on their hands and reason to do so could have found those flaws YEARS ago and kept a lid on it all that time. The fix is not to then go into a 90-day hiatus and eke out every second of non-disclosure. It's to fix the problem ASAP. For 90 days, someone in Google, probably several people, has KNOWN of that flaw. It's been in a database that probably dozens of people had access to. Any compromise at Google would have given someone a 90-day window of flaw execution. Why is it that people "don't trust Google" for years but all of a sudden they expect them to hold onto such a flaw perfectly and never reveal it.

      It's a flaw. Someone knows about it. Fix it. Whether that someone is your own security team, a security researcher (of course, they are ALL trustworthy and would never sell their skills on the black market on the side....), or some kid on the Internet. Fix the damn problem.

    6. Anonymous Coward
      Anonymous Coward

      "How do you think "script kiddies" manage to hack places? using scripts. Such scripts are drawn up using all the disclosures about bugs."

      So? It's not the fault of the one who discloses the flaw.

      People seem to misunderstand the "full disclosure" concept. It does NOT mean: I find a bug, I publish it right away.

      What it actually means is: I find a bug, I inform whoever is in charge of the code, I give them a reasonable amount of time to fix it, I may even remind them after a while. If they still choose not to do anything about it, Joe Public has the right to know that the product he uses is being neglected by the people who provided it to him.

      Google's 90 days limit seems reasonable enough. Most disclosers wait even longer.

      Many reports also include a working example of how to abuse the flaw (exploit) or even an explanation or even a code example of how to fix it! If $provider chooses to ignore flaws over extended periods of time, they obviously don't give a toss. Going public is the only way to force them into doing something about it.

    7. Michael Wojcik Silver badge

      How do you think "script kiddies" manage to hack places?

      A better question is why do you think your ignorant and trivial argument is interesting?

      As Linus noted, and as I and other commentators have mentioned several times in these discussions, the question of responsible disclosure has been publicly and prominently debated for decades. What in the world would make you think that this sort of handwaving observation, even if it were true (and it is not), would be any sort of contribution?

  2. Anonymous Coward
    Anonymous Coward

    Sounds like he needs a kernel upgrade

    No need to be a dick.

    1. Anonymous Coward
      Anonymous Coward

      Re: No need to be a dick.

      But if enough people kiss your arse even when you are a dick then there's no reason to behave differently.

      Year of the linux desktop? Not while the public face of linux and the internet voices of it's devotees remain so pompous, arrogant and just downright unpleasant...

      1. Stuart 22

        Re: No need to be a dick.

        That's what you get when you leave developers in charge of development. Crisp code they can cope with, mushy people less so. Now a marketeer might be a lot more polite but ....

      2. fandom

        Re: No need to be a dick.

        "But if enough people kiss your arse even when you are a dick".

        Well, when you talk about "pompous, arrogant and just downright unpleasant" you certainly know what you are talkin about.

        1. Androgynous Cupboard Silver badge

          Re: No need to be a dick.

          Who do you want building your kernel? Someone who eats, breathes and sleeps it and will trample over anyone and anything to do so, or someone that's aware of the "wider picture", the business case for delayed releases, the internal policitcs of large organisations?

          There is room in this world for single-minded, borderline autistic obsessives - I want them building my kernels, my braking systems and my parachutes.

          1. asdf

            Re: No need to be a dick.

            >- I want them building my kernels, my braking systems and my parachutes.

            Unless they are encouraging people to cut your brake lines like Linus (half jokingly and also said something about poison in their coffee if I remember) did to the ARM SoC developers.

          2. Anonymous Coward
            Anonymous Coward

            Re: Who do you want building your kernel?

            What's with the assumption that to be any good at coding you have to be a dick? Coding skills and social skills aren't really related.

            Did it ever occur to you that his attitude might put off good engineers with valid contributions to make?

            1. Tom 13

              Re: Who do you want building your kernel?

              If you're willing to admit that coding skills and social skills are on independent axes, why do keep being a dick and insisting only people who have both can code important projects?

              I'm always amazed at how many people love Hugh Laurie in House, yet rant endlessly about such people when they are real life bosses.

        2. Anonymous Coward
          Anonymous Coward

          @Fandom: Well, when you talk about "pompous, arrogant and just downright unpleasant"...

          ... you certainly know what you are talkin about.

          I am rubber you are glue! Hey, if we're going to just so the "No, you are!" argument, let's do it properly.

          Difficult to judge my pompousness from one anonymous post though. Torvald's is all over the internet....

      3. Graham Hawkins

        Re: No need to be a dick.

        > Not while the public face of linux and the internet voices of it's devotees remain so pompous, arrogant and just downright unpleasant...

        Not, of course, a charge that can be levelled at the upper echelons of any closed-source OS companies, or their devotees.

      4. yossarianuk

        Re: No need to be a dick.

        > Not while the public face of linux and the internet voices of it's devotees remain so pompous, arrogant and just downright unpleasant...

        So Enterprise, phones, tablets, toasters, watches, fridges, cars, etc are fine with such a person.

        Why does the desktop need nice people again ?

        1. Anonymous Coward
          Anonymous Coward

          Re: No need to be a dick.

          Because many of them are done by Google who are bloody good at marketing and by saying Android are dammed good at avoiding mentioning Linux.

      5. Jim 59

        Re: No need to be a dick.

        Lol, yeah because punters in PC World always base their laptop buying decisions on the attitude of the chief kernel developer. FFS.

      6. FIA Silver badge

        Re: No need to be a dick.

        "Year of the linux desktop? Not while ..." Microsoft maintain a monopoly on IT in the workplace and consumer focused computing increasingly moves to tablets and mobiles. (and Macs).

        ;)

        Jobs was a dick and people still seem to like his shiny shiny.

        Most non techie* desktop users don't even know who Linus is.

        (*Aside: I really wanted to write 'techy' here, but I couldn't stop thinking of Mr Flibble).

        1. Teiwaz

          Re: No need to be a dick Mr Flibble

          I think you were confusing with 'tetchy' And that was an arguement between Lister & Kyten.

          Mr Flibble says "Go see the king of the potato people after class."

      7. Fluffy Bunny
        Paris Hilton

        Re: No need to be a dick.

        "so pompous, arrogant and just downright unpleasant..."

        You mean just like most of the other "industry leaders"?

      8. Michael Wojcik Silver badge

        Re: No need to be a dick.

        Year of the linux desktop? Not while the public face of linux and the internet voices of it's devotees remain so pompous, arrogant and just downright unpleasant...

        So true. Why, Windows would never have become popular if Gates and Balmer weren't so damn charismatic. And the Apple OSes also clearly owe their success to the modest charm of Mr Jobs.

        Really, I can't think of a single OS that doesn't owe its success to some saintly technical leader.

    2. chivo243 Silver badge

      Re: Sounds like he needs a kernel upgrade

      I'd punch him, that is all.

      1. tony2heads

        @chivo243

        be careful; his wife, Tove, is a karate champion

    3. phil dude
      Linux

      Re: Sounds like he needs a kernel upgrade

      and yet you're A/C, so how do we know what *you* do for a living?

      Seriously, I get why LT is not concerned about his social persona.

      Perhaps there is the lesson about meritocracy here?

      Have politicians blinded us all with their "polite but incompetent" veneer?

      There is short enough supply of competent people in this world, LT seems to have found the groove that plays the nicest tune...

      P.

  3. jake Silver badge

    There is a difference between asshatery and "not-my-problem & I'm tired of hearing about it".

    "Might Torvalds have been aware of Google's twin disclosures of as-yet-unpatched Windows flaws last week? Sadly that question didn't come up during the talk."

    Methinks Torvalds doesn't give a shit about Windows flaws. Not his problem. Nor mine.

  4. Anonymous Coward
    Anonymous Coward

    So he admits it

    He is unfit for the workplace. He may well be the darling of the penguinista fanbois, but that is no excuse for him being aggressive and insulting. If he wasn't idolised so much he would have been fired a long time ago for bullying.

    If Linux wants to be taken seriously, they have got to find a better poster-boy.

    As for 5 days to disclosure...no wonder Linux is derided. Some people have real work to do and can't spend 24/7 sat on the command line recompiling their kernels because some amateur screwed up. Again.

    At least with professional software you (usually) get updates at a predictable cadence and can plan the patches. Seems Mr Torvalds would rather have us firehose the damned things and that just won't happen.

    1. solo

      Re: So he admits it

      ..that he is not working because he is thinking of saving humanity. He's just being humble at the most (not calling himself Superman).

    2. Martyn 1

      Re: So he admits it

      "He is unfit for the workplace. .... no excuse for him being aggressive and insulting. If he wasn't idolised so much he would have been fired a long time ago for bullying."

      You could have said the same about Steve Balmer before he quit to sit on his pile of ca$h ;-)

      1. Mad Chaz

        Re: So he admits it

        Or Jobs. Rumor as it he was one heck of an asshole to work for.

        1. JDX Gold badge

          Re: So he admits it

          Gates was known for being pretty tough too in the early days, but more on the technical side where you might get ripped apart if your proposal wasn't thorough.

        2. Anonymous Coward
          Anonymous Coward

          Pattern Recognition. Re: So he admits it

          Linus. Jobs. Ballmer. Larry Ellison. Jeff Bezos. Bill Gates was reputed to be pretty brutal too, although most of his blow-ups were kept private.

          Anybody else seeing a pattern here?

          1. Anonymous Coward
            Anonymous Coward

            Re: Pattern Recognition. So he admits it

            Yes - the pattern is they are all being bell-ends.

          2. Anonymous Coward
            Anonymous Coward

            Re: Pattern Recognition. So he admits it

            Yes, realizing I'm a bit charm impaired as well, even I can see that they all would benefit from a good ass kicking out behind the barn. No excuse for bullying.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like