July 17, 2008 4:02 PM PDT

Torvalds attacks IT industry 'security circus'

A correction was made to this story. Read below for details.

Linux creator Linus Torvalds has labeled makers of the OpenBSD operating system a "bunch of masturbating monkeys," as part of a wider critique of what he said was self-centered behavior in the IT security industry.

In an e-mail to the Linux kernel developer mailing list, Torvalds said a section of the security industry was dedicated to finding bugs in software only to publicize their findings and gain notoriety.

The row erupted in the Gmane mailing list after a developer for the PaX Team, which patches the Linux kernel, accused Torvalds and other top Linux kernel developers of "covering up (the) security impact of bugs" by not clearly labeling them as security flaws.

Torvalds wrote that disclosing the bug itself was enough, without having to label each individual security flaw. He added that taking the bugs to the "security circus" level only glorified the wrong kind of behavior. "It makes heroes out of security people, as if the people who...fix normal bugs aren't as important," wrote Torvalds.

What was left behind for the developers were all the "boring" bugs, which Torvalds considered more important due to their volume.

"Boring normal bugs are way more important, just because there's a lot more of them," wrote Torvalds. "I don't think some spectacular security hole should be glorified or cared about as being any more 'special' than a random spectacular crash due to bad locking," he said.

The Linux leader went on to state that "security people are often the black-and-white kind of people that I can't stand."

Torvalds appeared particularly irked by the creators of the OpenBSD operating system, who have focused on security and auditing when developing their variant of Unix. OpenBSD is known to be used in high-security environments such as the U.S. Federal Bureau of Investigation.

"I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. To me, security is important. But it's no less important than everything else that is also important!" Torvalds concluded.

Torvalds' comments drew various reactions from the OpenBSD developer community. In an e-mail exchange with ZDNet.co.uk, developer Ken Westerback wrote that an interest in security should lead to fixing all bugs.

"As far as I am concerned OpenBSD is the project with the most demonstrated interest in fixing all bugs found, no matter how trivial, and to systematically examine all source code for instances of bugs encountered," wrote Westerback. "I believe that this is the bedrock principle of pursuing security--software that 'just works' rather than software with Rube Goldberg constructs of knobs and security theater scenery."

Westerback wrote that software produced by people interested in security "probably works better in most cases because a belief in simplicity, clarity, and consistency usually produces better code than other approaches."

Developer Kjell Wooding agreed that OpenBSD coders treat bugs with equal significance.

"There is a certain irony to Linus' comment there," wrote Wooding in an e-mail to ZDNet.co.uk. "The 'a bug is a bug' principle that he is espousing is exactly the approach taken by the OpenBSD developers that I know. The OpenBSD I know doesn't concentrate on security--it concentrates on correctness."

OpenBSD developer Bob Beck told ZDNet.co.uk that Torvalds' comments showed "ignorance," as OpenBSD coders did take the approach of dealing with bugs equally.

"The comments sound like much of the usual chestbeating we are used to seeing to make all the fanboys and girls on the lists swoon," wrote Beck. "Realistically it just demonstrates an ignorance of the OpenBSD project."

Beck added that Torvalds' comments were unfortunate, in that they could encourage Linux "fanboys and girls" to not focus on code quality.

"Those sorts of unfounded statements probably contribute to the type of attitude in Linux distributions that results in them introducing spectacular bugs into software ported into their distributions from OpenBSD, such as the recent Debian vulnerabilities," wrote Beck. "To the fanboys, this says 'don't listen to security-concerned people--they're just masturbating monkeys.' Which leads to more bugs to fix."

Both Wooding and Beck took Torvalds' comments in good humor. "I don't know what Linus' beef is. He seems to be on the same page with respect to this issue. And the 'masturbating monkey' thing? Well that's just funny," wrote Wooding.

OpenBSD developer Artur Grabowski wrote on Thursday that Torvalds had been in touch with the OpenBSD community.

"I talked to Linus about this already, he was humble about it and said it didn't look like it from the outside that we shared the same view," wrote Grabowski. "We all had a laugh about it."

Liam Tung writes for ZDNet Australia. Tom Espiner, who reports for ZDNet.co.uk in London, contributed to this report.


Correction: This article incorrectly characterized Linus Torvalds' last response to the OpenBSD community.

See more CNET content tagged:
OpenBSD, Linus Torvalds, Linux kernel, bug, security flaw


Join the conversation!
Add your comment
Maybe Linus should get over himself and get a life.
Posted by protagonistic (1868 comments )
Reply Link Flag
Technically he does have a life. He has a wife and three children and apparently is paid enough to support them. Maybe we have different definitions of a life.
Posted by unknown unknown (1951 comments )
Link Flag
Regardless of whether it was right or wrong, calling people "a bunch of masturbating monkeys" is classic, just classic.
Posted by turoa76 (28 comments )
Reply Link Flag
Linus is a cool guy. He doesn't give a damn about what other thinks about his words and that's why I love him for it!!! A free man must be able to freely express his opinions without the regard to authority or anything like that. Most people look up to him as some authority figure, he himself doesn't feel that way and doesn't feel people should treat him that way. That's the cool part about his popularity, he doesn't give a damn. And when he does notice something wrong, he would acknowledge and move on. And based on the history of his work, he gets things done, unlike most people I know or have worked with.
Posted by humanssssss (721 comments )
Reply Link Flag
Yes, he doesn't give a damn now, but he will soon enough once major Linux security flaws are announced more often. He'll quickly see how so-called "secure" OS go down in flames and I just have to laugh. First, it was one of the biggest lies perpetrated on the industry touting Linux as "free", and then the spin that it was far more secure than Windows and Solaris. What a joke.
Posted by WJeansonne (480 comments )
Link Flag
They've been saying that for well over a decade now, my dear MSFT Troll... the last one of any consequence at all died off in 2001. How's Windows doing by comparison? ;)
Posted by Penguinisto (5042 comments )
Link Flag
@ Penguinisto: You've also been predicting Windows downfall and Linux explosion/market dominance for well over a decade now, my dear Linux Troll... The last time Windows had less than 90% market share was also well more than a decade ago. How's Linux doing by comparison? ;)
Posted by Fil0403 (1303 comments )
Link Flag
You got to love Linus Torvalds. Anything that isn't Linux, he makes fun of and uses personal attacks on. He once called Mac OSX as "crap" when Steve Jobs offered him a job at debugging the MACH kernel. I forget what he called Windows, but then all of the Linux Fanboys already use personal attacks on Windows and Bill Gates so much that I forgot what Linus Torvalds's original words on Windows even was. Now he is attacking OpenBSD. I think at one time he attacked GNOME or KDE developers. They don't call Linus Torvalds the Benevolent Dictator for nothing, he really lives up to his name.
Posted by Orion Blastar (590 comments )
Reply Link Flag
The real funny part is, he actually uses solid, technical reasons to back up his claims. More than I can say for half the jokers in this joint. :)
Posted by Penguinisto (5042 comments )
Link Flag
@ Penguinisto: Yeah, because there is nothing more solid and technical than calling people "a bunch of masturbating monkeys" because they care "too much" about security. But yeah, I gotta agree that, notwithstanding that, he (still) manages to back up his claims better than most "jokers in this joint" (the name "Penguinisto" suddenly comes to my mind, I'm not really sure why). :)
Posted by Fil0403 (1303 comments )
Link Flag
Linus said in an interview that his own mother and sister still use windows instead of linux. Thats pretty sad when your own mother doesn't even stand behind you.
Posted by ferretboy88 (676 comments )
Reply Link Flag
The shoesmaker's son always goes barefoot.
Posted by Magallanes (190 comments )
Link Flag
That's not the first time a family member has turned against another's product. Back in the 1980s, Bill Gates' father's law firm used only WordPerfect for word processing. Bill reportedly walked into the office and started whining about why everyone there isn't using Microsoft Word. One of the lawyers then told Bill the faults of Word, such as it didn't handle templates well (templates were very VERY important among legal eagles.)
Posted by groink_hi (380 comments )
Link Flag
@ Magallanes: Well said, Linus is apparently the black sheep of the family.

@ groink_hi: It would be interesting to check what these people are using today (WordPerfect or Word), because Linux mother still uses Windows, LOL.
Posted by Fil0403 (1303 comments )
Link Flag
Linus always speaks his mind and he does not really care who he insults with his comments. He would not make such a bold comment if there was not any truth to it....lol.
Posted by julesthejackal (3 comments )
Reply Link Flag
I agreed (this time) with torvals about the security circus. Security currently moves a lot of gazillion of dollars, you can find antivirus, antispywares, security advisor and several other services. You can be amazed to find antivirus not just for windows, also for linux (and not only email scanner), bsd and even for osx, pda and cellphone (for cellphone there are more antivirus that virus).

Also, about the latest "high security breach", some are too bizarre and happens in rare and specific cases, other will required to have access to a pc and other are simply nothing.

Anyways BSD can be more secure rather Linux but lack on several function and performance, not to say a community and several application, so it's not rare to find that linux is way more popular in comparison with bsd (with the exception of osx).
Posted by Magallanes (190 comments )
Reply Link Flag
There is a difference between security applications and programming with security in mind. They latter usually doesn't lead to needing the former.
Posted by MSSlayer (1074 comments )
Link Flag
The assumption in your comment that Linux, BSD, OSX, PDA's and cellphones are 100% secure to the point of being ridiculous the existance of security software for those platforms is a typical ignorant Linux/Mac fanboy assumption.

@ MSSlayer: OMG, bye-bye Symantec and the whole security applications industry, it's as easy as "programming with security in mind", how could people not have thought of that before, forget about the error-prone nature of the human being, we have a new Isaac Newton, his name is MSSlayer.
Posted by Fil0403 (1303 comments )
Link Flag
To be honest - he's right. A bug is a bug is a bug. You can have the absolute most secure application on the planet with zero security bugs... but if it crashes every two minutes, it wouldn't be worth much, would it?
Posted by Penguinisto (5042 comments )
Reply Link Flag
I think Linus (Peanuts) Torvalds has just as much right to blast some monkey for masturbating on the planet as anyone else. Do any of you really know where the rock we call Planet Earth came from? where it's going? your origins? the god you claim - can you really see it walk in a bowling alley? Well, if you can't prove any of these - then who are you? You are just some masturbating monkey jumping around on the rock throwing crap at Peanuts -- and you have that right and as long as I'm alive - I'll strive to protect that right. So keep up the good work of masturbating and being a monkey and you all keep throwing crap at each other. By the way - OpenBSD works really well for a few things - but, unlike Mandriva or Ubuntu or Vista - you can't do much else with it. It should be used only in Security situations such as a Firewall and Proxy or PBX. It's good for that - not much else. Oh - and you can type letters with it. :)
Here's to a bunch of masturbating monkeys being free.
Let's stay that way.
Posted by mabradford (36 comments )
Reply Link Flag
There is no question that security people are typically black and white, don't like to think outside the box, and are, as a rule, difficult to tolerate. Go Linus!
Posted by meystel (4 comments )
Reply Link Flag
It is because they have to deal with idiots on a daily basis who give no thought to security.
Posted by MSSlayer (1074 comments )
Link Flag
Go Linus!

Of course, 90% of CNet's click bait consists of reprinted security press releases, so I don't expect them to side editorially with him.
Posted by M C (598 comments )
Reply Link Flag
This reminds me a of saying I heard ages ago that made NO sense at all, for it seemed to contradict smart common sense. It was "consistency is the hobgoblin of little minds."
I think that is the source of Torvald's frustration.

Forcing him to treat every "potential" security issue equally is as idiotic as treating every risk we face equally.

In everyday life people use "risk assessment" automatically to decide how to prioritize various risks we face daily.

That "common sense" should be used for security issues as well.

Just becuase one exists, does NOT mean it will be exploited.

If it is exploited, it does not mean it will be able to be used in a truly harmful way.

If it is exploited, it could happen literally years from the date the issue developed.

To demand all issues be treated with a simple-minded, paranoid ASAP mentality means valuable creative energy which is always in short-supply is being used up to solve issues that are NOT a threat, and may never be a threat.

I think someone like TOrvalds is smart enough to know even better than the security marketeers how likely and how quickly an issue is going to develop into a "threat."

Now true everyone needs some checks, but Torvalds is right.

Not every security threat is equal, and treating them as such wastes valuable time and effort of such men.

If we lived every day life like that, no one would ever get out of bed, no one would ever drive a car.

The threat from merely walking to the bathroom and dying from an accidental fall, or dying in a car accident is probably 1000x of times more likely than the threats Torvalds is referring to morphing into something truly serious.

So he's right 100%
Posted by johnnyincentx (7 comments )
Reply Link Flag
IMHO your last sentence ruins your post, and is also a typical attitude of Linux/Mac fanboys, to whom anything that is Linux/Mac is perfect, and anything that is even remotely connected to Microsoft sucks big time.
Posted by Fil0403 (1303 comments )
Link Flag
It's those "masturbating monkeys" that keep the code writers honest. Every time they reveal a problem, and who cares what's motivating them (maybe the same thing that is motivating those moneys) someone somewhere digs into lines of code and looks for a fix. I'm glad they are there keeping a watch for the rest of us. The bad guys are also looking for the holes and you can bet your money (which the bad guys are probably stealing from you) aren't going to go public with what they've learned.
Posted by (1 comment )
Reply Link Flag
What was asked of Linus was utterly trivial. It was adding some release notes.

Debian does this. They ship security fixes pronto, and tell you what exploit was closed.

Puerile potty mouth makes both Linus and Linux unattractive. It reinforces the impression of a hacker's playground, not something you really want to use.

His latest silliness has pushed even *me* to look at BSD as a refuge of sanity.

I've been through enough Linux disasters. Forget security bugs, you're lucky if the last released kernel doesn't crash. Only after about 10 patches does it begin to feel stable. That Linus can't see something wrong says volumes.

So I am looking at BSD. OpenBSD has a structured engineering flow with code reviews.

Of course the problem with BSD flavors is hardware drivers. But when I look back over years lost to Linux drivers and kernel configs to make hardware work, I realize it would be less time consuming to roll my own drivers for BSD or OpenSolaris.
Posted by zae3Ph (2 comments )
Reply Link Flag
After reading this article and the comments here, I feel like asking "Security vulnerabilities?! Pacthes?! Linux crashing?! What happened, I thought Linux was perfect, 100% secure, stable and reliable, and never crashed and Windows was the only OS that crashed and had security vulnerabilties?!" :-S What next? Mac OS X also has security vulnerabilities and also crashes?! LOL.
Posted by Fil0403 (1303 comments )
Reply Link Flag
Agree with Linus overall -- Those who glorify themselves by posting what causes securtiy bugs so that the bad guys can take advantage of them are actually in league with the criminals. Better Internet citizenship could be shown by private communications with the offending company, waiting a decent amount of time, then publicizing. While there should be no reward for ignoring warnings, there also should be no fame for those who facilitate on-line crime.

I live in a world of rewarding bad behavior -- It is incredibly destructive and stops all useful progress dead in its tracks. Unfortunately the only cure is to hope that those in charge recognize the damage before the organization dies.
Posted by TomMariner (762 comments )
Reply Link Flag
Who cares what Linus thinks?

"I'm a bastard. I have absolutely no clue why people can ever think otherwise. Yet they do. People think I'm a nice guy, and the fact is that I'm a scheming, conniving bastard who doesn't care for any hurt feelings or lost hours of work, if it just results in what I consider to be a better system. And I'm not just saying that. I'm really not a very nice person. I can say "I don't care" with a straight face, and really mean it."

* Torvalds, Linus (2000-09-06). Message to linux-kernel mailing list. Retrieved on 2007-05-28.

Just use what's best. Right now, that's linux. So what if the dude's a jerk? Just because Reiser was a crazy freak who killed his wife doesn't mean he didn't make a good file system, dangit!
Posted by ethana2 (348 comments )
Reply Link Flag
I've never understood why so called "security experts" tell the whole universe about a security flaw they found. Doesn't it make sense to quietly contact the responsible people and simply tell them, "Excuse me, I found a flaw in your program. It is located here." This way the responsible party can fix the flaw quickly without worry that someone will try to exploit it before they can patch it.
Posted by thedreaming (573 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.