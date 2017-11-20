Security Problems Are Primarily Just Bugs, Linus Torvalds Says (iu.edu) 25
Linus Torvalds, in his signature voice: Some security people have scoffed at me when I say that security problems are primarily "just bugs." Those security people are f*cking morons. Because honestly, the kind of security person who doesn't accept that security problems are primarily just bugs, I don't want to work with. Security firm Errata Security has defended Linus's point of view.
Security by obscurity, government backdoors, etc. Those are not bugs.
If your OS is not open-source, forget release/review processes. If the NSA tells you to add this black box of code, you fucking do it.
True, but. (Score:2)
It's true, security problems usually exploit a bug. BUT, in general, there is a systematic problem underneath the bug, which allows a bug in a program to escalate to gain access to root-level systems. So, it's not just a bug, but a bug that is built on a system that does not have security built in.
I am assuming Torvalds considers not building security into a system is a bug. Consider software which does not prevent SQL injection attacks. If there was no attempt to prevent these attacks, technically the code is working as intended. Security simply was not a consideration. But in practice I believe it is still fair to consider that a bug.
Aren't SQL injection attacks usually queued commands? Isn't the ability to queue multiple SQL commands in one string a flaw in itself? Ex: what possible harm would it do to require a "drop table" command to be called on its own,etc ?
Security problems are NOT just bugs (Score:2)
Linus's context is entirely in terms of the kernel. If you ignore that, you write comments that are complete non-sequiturs.
he said they were "primarily" bugs. By "problem", I would guess he is talking about issues in properly set up software.
You are right about there being other issues in practice but you might argue better without using a strawman.
Bug or feature? (Score:1)
The alternative would be "features"
Linus is mostly right (Score:2)
At least when you take into account that people should design security in today. So from the coding angle, pretty much "just bugs". From the testing angle often vastly different, as in functionality testing you check for the presence of functionality, but in security testing you check for the absence of functionality. Individual tests are still pretty similar, but getting test-coverage is very different and a lot more difficult.
Of course, the "just bugs" view also requires that the developers actually under
We will NEVER, EVER have 100% of all developers understand security at the level required to make 100% secure programs.
What we need is OS and languages that have security built-in, the same way programmers don't know assembly and UEFI and yet can still code and make programs.