Bug Hunters, Security Bug Hunters and Monkeys – Oh My
September 28, 2008
Linus Torvalds, yes – that Linus – the guy that started the Linux movement back in the day, went on a rant this summer on the gmane.linux.kernel forum. I have been meaning to write about this for a while now but kept getting sidetracked.
Here is just one point that he made. “I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.”
I am guessing that he got a significant amount of flame mail about that one.
But I want to address his main point which, after extrapolating the monkeys from the equation, is something like this. Security vulnerabilities are just a subset of all the other kinds of software bugs that exist. Why do we treat them as special cases? Should we treat them as special cases? Linus says, “It makes “heroes” out of security people, as if the people who don’t just fix normal bugs aren’t as important […] I don’t think some spectacular security hole should be glorified or cared about as being any more “special” than a random spectacular crash due to bad locking.”
Fair enough; especially in the open-source world where a good bulk of the programming is done by volunteers who do it for free. Surely the gear head who spent hours of his own personal time fixing the bad locking issue is just as important as the white hat who closed that nasty little buffer overflow problem on his own time.
I get it Linus. I am willing to show a little love for the standard gear heads out there. Hell, I think all of the gear heads deserve their own Miller Beer Commercial.
But (and you knew there was going to be a “but”, didn’t you?), does it really hurt us that much to dedicate some resources to only finding the security issues? In terms of impact, the two kinds of issues aren’t even in the same ballpark. The locking problem prevents you from using your application; that is a nuisance. The buffer overflow problem may cause you to unwittingly open up your entire network to some unsavory individuals who most likely associate with monkeys; that is bad – really bad.
Don’t get me wrong. I understand Linus’ frustration. In terms of arrogance, all of the security programmers that I know (and a bunch of them that work for me) are chalk full of that arrogance stuff. That’s what I like about them, but they can be a little hard to take sometimes and the OpenBSD guys that Linus was complaining about have that going on in spades. But their shenanigans kind of remind me of that old George C. Scott movie entitled Patton. General Omar Bradley, played by Karl Malden, was describing Patton to an aide. He said something like, “Give Patton a Newspaper headline and he is good for another 60 miles of German territory.”
Well, the OpsnBSD guys and most of the security bug hunters out there are just like Patton; a little arrogant (ok, ok, significantly arrogant), but give them a little credit and they rush back to their little dark caves illuminated by the flickering monitor and find just one more security bug. And I love them for it.
So Linus, when those arrogant little SOBs start to get under your skin, just call me. We will head over to the local drinking hole, grab a cold beer and salute the gear heads of the world. But this time, you have to sit next to the monkeys.
