back to article Some 'security people are f*cking morons' says Linus Torvalds

Linux overlord Linus Torvalds has offered some very choice words about different approaches security, during a discussion about whitelisting features proposed for version 4.15 of the Linux kernel. Torvalds' ire was directed at open software aficionado and member of Google's Pixel security team Kees Cook, who he has previously …

Page:

  1. Gene Cash Silver badge

    Google's Pixel security team

    There's a crack bunch of professionals, right there!

    When you have little enough confidence in your code that you introduce a fallback mode in case it takes a shit... then that garbage doesn't belong in an OS kernel.

    Linus should have stabbed him in the eye. And the dick. And set him on fire.

    1. Anonymous Coward
      Anonymous Coward

      Re: Google's Pixel security team

      WHen I rollout a new piece of software or system, or run an IT project I've always got a section called "risks" and that always has a subsection called "mitigation".

      We can test new rollouts for months but I am only happy if we have an easy way to "fallback" if things take an unexpected turn for the worst. You rollback, regroup and reconsider.

      It is not a failing when making major, potentially destructive, changes to have considered a position if it doesn't work out.

      1. teknopaul

        Re: Google's Pixel security team

        It does not work like that in the world of C programming, you cant have bugs and worry about them later. You cant reconfigure crashed systems. You cant say there is a risk this has a race but fuckit, lets ship and seeif it crops up in the wild. many bugs result in security issues. Some new wonky code that kills processes it does not like is presuming that those processes are not part of overall stability and security of the system. Probably an incorrect assumption.

        1. Anonymous Coward
          Anonymous Coward

          Re: Google's Pixel security team

          "It does not work like that in the world of C programming, you cant have bugs and worry about them later"

          C Programmers are magicians. All software has bugs regardless of what language was used. You will have to worry about them later as someone will discover them and let you know, you then need to go back and fix them.

          1. Ian Joyner Bronze badge

            Re: Google's Pixel security team

            "C Programmers are magicians." More like "Systems programmers are the high priests of a low cult." (1967)

            "The Open Channel". Computer. 13 (3): 78–79. Mar 1980. doi:10.1109/MC.1980.1653540.

            https://en.wikipedia.org/wiki/Robert_S._Barton#Quotes

            It is a frequent excuse for C that you will get bugs in whatever language. But other languages will check for common mistakes and build an abstraction that is checkable when the system is built. With C you mainly have to wait until the system is deployed and hope that some nice person reports the bug, rather than sues you, or worse is a malicious hacker that will take advantage.

            "You will have to worry about them later as someone will discover them and let you know, you then need to go back and fix them."

            Bad philosophy - too late, too costly.

          2. Wayland

            Re: Google's Pixel security team

            "All software has bugs", well that's a false statement.

            In a practical sense a large program probably does have bugs but if a problem is logical then perfect code can be written.

            It is absolutely possible to remove all bugs.

            The problem with C is that it tends not to stop you running a pointer off the end of an array or even using a pointer that's not been set. You're driving down a mountain road with no guard rail but then you should not be using the guard rail.

            1. Kiwi
              Pint

              Re: Google's Pixel security team

              In a practical sense a large program probably does have bugs but if a problem is logical then perfect code can be written.

              I agree that it is theoretically possible to write bug-free code even for considerably large programs.

              The problem is, that code also has to interact with the rest of the system and the users. One of those two will break it. And if the users don't break it, they'll break something else that then breaks the program.

        2. Jason Bloomberg Silver badge

          Re: Google's Pixel security team

          You cant say there is a risk this has a race but fuckit, lets ship and seeif it crops up in the wild.

          It's a tough one. Live with potential bugs or ship with a fix which may itself cause problems with a fall-back for when it does?

          It's Linus's project so I guess he gets to decide. I am not always convinced he gets it right and I often dislike the way he deals with those who hold a different opinion to his own.

          1. anonymous boring coward Silver badge

            Re: Google's Pixel security team

            "It's a tough one."

            It's not a "tough one". It's the effing kernel! It's an easy one, and if you can't see that you shouldn't be contributing to the kernel at all.

        3. shawnfromnh

          Re: Google's Pixel security team

          That is more like the Windows 10 philosophy at in we'll do the updates because they are due to the schedule and then force them onto the users whether they've been fully tested or not and you can't wait of choose not to do the update because they are mandatory and MS knows what is best for your computer even if it causes and endless boot cycle you will take the update again even if you rollback you system and take the update again with the same results because we know best.

          1. Tomato Krill

            Re: Google's Pixel security team

            Aaaand breathe

      2. Wayland

        Re: Google's Pixel security team

        A Rollback is a sensible emergency contingency when you only have the one system to test with, the live one. However Linux has millions of users who are happy to beta test. You'd find those sorts of bugs in that phase. They can surely manage their own rollbacks and backups if they are willing to beta test.

    2. Sil

      Re: Google's Pixel security team

      A project the size of Linux does need a persistent and strict leader.

      However, lashing out at people with such virulence is not productive, decrease morale of existing contributors and will make would-be contributors, some of whom may even be quality ones, think twice before contributing to Linux.

      Believe it or not, it's possible to stay courteous while refusing a patch or remonstrating.

      What the Linux development process seems to miss are monthly/weekly/ad hoc (forum) discussions of desirable new features/changes - before a single line of code is written, so that at least there's an agreement on what to sink time in, what kind of outcome is targeted, and what will never happen.

      1. BillG
        Megaphone

        Lashing Out

        @Sil wrote: A project the size of Linux does need a persistent and strict leader.

        However, lashing out at people with such virulence is not productive,...

        I agree with you in principle. But in practice it can get utterly frustrating just how quietly PERSISTENT stupid can be. For the stupid persistent, they know from experience that if they just keep asking over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over again sooner or later someone will give in. and they know this because it works.

      2. webeindustry

        Re: Google's Pixel security team

        Grow a pair. If some weak developers can't take the heat they are better suited elsewhere. Linus has every reason to call out idiocy from the securitards.

        Which is more unproductive for a large team being brutally honest or running a fools errand attempting to cater to everyone's feelings?

        I would never work for these libertards who are all about "inclusion" and "politeness" beyond what is reasonable. Get shit done I don't care about remaining politically correct. If you got the skills and will, contribute and take it as it is. Everything else is secondary.

        1. Matt Judge

          Re: Google's Pixel security team

          Here, here. From someone who has told more than a few managers what I think of their liberal attitudes.

          1. Anonymous Coward
            Anonymous Coward

            Re: Google's Pixel security team

            Where, where?

        2. Jonathan 27

          Re: Google's Pixel security team

          I see you've either never been involved in software development or are one of those horrible toxic people who have been fired over and over. Almost no one can get away with being as rude as Torvalds is, the only reason he can is that basically no one can fire him.

          Screaming at team members is never productive. What you do is calmly explain what people have done wrong. Software development is a group activity and you have to work to keep your team dynamic functional. One person publicly calling out others is not something that's productive.

          What does this have to do with "inclusion" and "political correctness". It's not the message that's wrong, it's the delivery method. Someone does something stupid, you tell them, you explain why it's stupid, you don't scream at them from the rooftops (or the internet equivalent).

          1. jake Silver badge

            Re: Google's Pixel security team

            Jonathan 27, Linus only gets bent out of shape after all other methods bounce off cloth ears. Contributors get plenty of warning when they are messing up. Really. I've been contributing to the kernel for a quarter century now, and made a couple very stupid mistakes along the way. Yet I've never even been growled at. Because I figure out where I went wrong, acknowledge the issue, fix it, and move on. Just like Cook has done with this latest issue, even though it took him a while to grok where he was going wrong.

            On the other hand, if the rare bad language offends you so fucking much, fork the fucking kernel already! All you have to do is find a lead dev who is well versed in kernel development, and a bunch of seasoned kernel hackers to follow him/her. That shouldn't take too long, right? Maybe you could use Kickstarter? Then you can show us all how the kinder, gentler method is so much better. Devs could get "time outs" instead of being yelled at. They could have "do overs" when they break something. Every dev would get a trophy. You could call it "Kumbaya". I'm absolutely certain the world will beat a path to your door.

            Oh, wait, I said "beat". My bad. Did that offend your virgin ears^Weyes?

            Honest to fucking gawd/ess, we're turning into a race of whiners ...

      3. anonymous boring coward Silver badge

        Re: Google's Pixel security team

        Can you imagine how many people demand time from Linus?

        And can you imagine the frustration when idiots demand more and more time?

        Linus obviously want these contributors to go away and never be heard again from. Can't say I blame him.

      4. boatsman

        Re: Google's Pixel security team

        political correctnes does not cure irresponsible behaviour,

        which is critical when dealing with a software system that millions of people and businesses are relying on.

        It's not unthinkable that human lives might be at risk when you kill a proces in a system, although you are not quite sure it needs to be killed; quite possibly you actually never heard of the system your code is running in, let alone understand what it is doing....

        Kees Cook is obviously not quite aware of the context in what he is doing. to much Pixel focused, I suppose.

      5. iTheHuman

        Re: Google's Pixel security team

        That's not unintentional. That's what you get when you have a huge software project lead only by programmers. They've no interest in something unless there is code, and code is more important than design.

  2. PushF12

    Build statues in honor of Linus

    Google hires more for politics than ability now, and it is starting to show.

    We should be building statutes in tribute to Linus.

    1. HmmmYes

      Re: Build statues in honor of Linus

      Or have a whip-round and pay for Linus' sex change ...

      1. Anonymous Coward
        Anonymous Coward

        Re: Build statues in honor of Linus

        Sorry. I don't get that.

      2. Hollerithevo

        Re: Build statues in honor of Linus

        @HmmmYes, what is that supposed to mean? Are we supposed to be amused?

    2. bombastic bob Silver badge

      Re: Build statues in honor of Linus

      Forget just a statue, how about a 'classic Greece' SHRINE?

      /me envisions lots of Corinthian columns and marble

      Seriously, though, Linus is right. If you try and put every "but if" you can into the kernel, you'll end up with MS WINDOWS [or worse] and who in the hell wants THAT???

      I have a better idea: if you want "that behavior", write a kernel module to do it. Otherwise, leave everyone ELSE's Linux alone!!!

      Cisco apparently wrote their own "hardened" Linux for their own stuff. Maybe Google needs to take a page out of THEIR handbook, and NOT sit there whining and trying to make EVERYBODY ELSE on the planet "do it THEIR way".

      no icon this time, as I can't think of one that's even remotely relevant to this...

      1. Mark 65

        Re: Build statues in honor of Linus

        Maybe Google needs to take a page out of THEIR handbook, and NOT sit there whining and trying to make EVERYBODY ELSE on the planet "do it THEIR way".

        Sounds like another large company trying to muscle in and do a RedHat. Is this dude the security world’s Poettering?

        1. Kiwi

          Re: Build statues in honor of Linus

          Is this dude the security world’s Poettering?

          I don't think so. This guy did a "I can see there's a problem so I'll pull back and look further" and also a "I learned something today" [who's Kyle Brovlowski again?]

          Pottything would have been unlikely to respond at all, but if so it would've been a "this is not a bug" or "this is a bug but it won't be fixed" - at best.

          Quite a bit of difference. One is willing to admit he could be wrong, the other would if you told him his house was on fire would ignore you or tell you it's only because of the brightness of sunlight shining out of his own backside.

      2. PaulFrederick

        Re: Build statues in honor of Linus

        What we all need to remember is that Linux made Google. Google did not make Linux. Google's billions don't change the facts either. They can stuff that into their Pixel pipe and smoke it too!

    3. wallaby

      Re: Build statues in honor of Linus

      "We should be building statutes in tribute to Linus."

      It would give me something other than my PC screen to throw things at I guess - I'm in, saves me buying a dartboard

    4. patrickstar

      Re: Build statues in honor of Linus

      Kees Cook is not some diversity hire.

      He's a long-time Linux kernel developer and head of the Kernel Self-Protection Project.

      Not that he has been doing a particularly good job at that, or shown much security clue, but certainly more clue than Linus.

      1. Kiwi
        Boffin

        Re: Build statues in honor of Linus

        Not that he has been doing a particularly good job at that, or shown much security clue, but certainly more clue than Linus.

        I've spent a little while over the last couple of days remotely monitoring some suspicious traffic on a machine I part-time administer for someone else.

        My philosophy is "watch, learn, act" - I watched, I spent some time learning about a few processes and tools I'd not yet had to learn about, and I acted - in this case to decide "almost certainly nothing to worry about" but make a few system changes to lessen any potential attack surface (as far as I can tell it was "none" but a little bit extra security should be fine). Oh, and to run a few other basic security checks.

        Now, I could've run "sudo shutdown -h now" which is pretty much the equivalent to what Kees Cook would've done, but that a) would've not solved the problem and b) led to other problems, like the server not being able to perform it's other duties.

        If I'd "paniced the kernel" (ie shut down) everything stops - monitoring, logging, ability to watch what's going on, and the ability for some of the staff to do their jobs. "Suspicious behaviour" that turned out to be a non-issue could've had his staff sitting around twiddling their thumbs while I travelled to location, isolated the machine from the network (the arduous task of unplugging the patch cable), and proceeded to spend hours upon hours scanning for the "cause" while also trying to check and if necessary secure the router and so on, or it could be left up, checked in-situ for the nature of the suspicious behaviour, with a phone call from me to do an urgent power down (pull the mains plug) should it look like more of a risk.

        [BTW, the action? He'd thought it'd be great to chuck a torrent client on his always-on server, and later denied knowledge - the persistent Ukraine addresses probably weren't hackers trying to come in, they were most likely other clients wanting the series he'd been downloading - so the action was 2 fold 1) to have a discussion with him, his wife, and a couple of the other staff about system security and 2) to lock him out of the server admin (ie change the password). I do have to figure out a secure way to make it available (in case I'm not available) but so that he cannot get it without bloody good reason

        Oh, and for some reason Nethogs wasn't showing transmission in the list, or any programs, just IP's (hence why I didn't detect it much sooner) - I see on some machines it does and some it doesn't ^O^ .

        At least I have my Christmas travel costs sorted after this ;) ]

  3. Long John Brass

    Userland

    Userland should never ever ever cause the kernel to panic.

    Sure kill a badly behaved process. But the rest of the system should keep trucking on.

    There was an interesting discussion years ago as to the correct failure mode of web-browsers.

    The argument went it's better to render something broken than nothing at all or worse, kill the browser. OS kernel failure modes need to be thought of in the same manner; Unless something is really broken, clean up & carry on.

    1. Ptol

      Re: Userland

      If I believed that someone had hacked into my server, would I try to patch and repair and keep the server going? or would I format the box, and rebuild it?

      So, consider a server that is part of a highly available cluster farm, that is designed for surviving server failures - A kernel detecting an illegal permission escalation attempt deciding to kernel panic? Well, the system is designed to cope with that. Much safer than having a hacker roaming around your server farm for 3 months before you spot them. How do you unpick that mess? The last 2 weeks backups to the disk backup system wont help, that's for sure.

      1. Dazed and Confused

        Re: Userland

        > A kernel detecting an illegal permission escalation attempt deciding to kernel panic?

        No, the correct behaviour is not to allow the permission escalation, if it is via a system call then the call should fail and return -1 and set the ERRNO. If the issue was via an attempted memory access the caller should be killed via the appropriate signal.

        The kernel should only panic when the kernel has a problem, normally when it detects some sort of internal inconsistency.

        The only userland event that should cause a panic is PID 1 existing.

        1. Bronek Kozicki
          Mushroom

          Re: Userland

          I am surprised anyone could downvote you. I guess there are morons who do not see the difference between system user-mode hack and kernel level hack.

        2. Ben Tasker
          Joke

          Re: Userland

          > The only userland event that should cause a panic is PID 1 existing.

          But only if it's SystemD. SysVInit should be allowed to continue as normal

          1. Dazed and Confused

            Re: Userland

            I know you marked this as a joke, but

            > The only userland event that should cause a panic is PID 1 existing.

            But only if it's SystemD. SysVInit should be allowed to continue as normal

            This is one of the issues with systemd, the traditional init was a very simple thing and as such incredibly unlikely to die. Once it had launched the system it became the catcher of orphans, it issues the wait(2) calls to allow them to be reaped. The kernel needs to have somewhere to pass orphan processes, this is why it panics if PID 1 dies.

            IMHO systemd does too much, it has too many interaction points and therefore is much more likely to have defects and therefore at risk of dying. Unlike other userland processes, the death of PID 1 is fatal. So things which are perfectly acceptable in other process are not in tolerable in PID 1.

            1. Ben Tasker

              Re: Userland

              > Unlike other userland processes, the death of PID 1 is fatal. So things which are perfectly acceptable in other process are not in tolerable in PID 1.

              Oh, agreed, but the joke was based on your typo ;)

      2. Paul Crawford Silver badge

        Re: Userland

        "A kernel detecting an illegal permission escalation attempt deciding to kernel panic?"

        For those sort of "user process playing silly buggers" problems we have apparmour, don't we?

        Edited to add: root is also a user, and one with a greater need for care in terms of daemon processes.

      3. teknopaul

        Re: Userland

        Its not a hacker, its a process doing something that was a permitted operation before the patch got applied.

        Security folk generally dont grok this. New rules that lock out legal proccesses that are not run by hackers have not "made the system more secure". Lockouts are a security fail. Bugs. They need fixing.

        IMHO Too often those working in security take the approach of break first ask questions later. And then expect everyone else to change.

      4. Kiwi
        Pirate

        Re: Userland

        If I believed that someone had hacked into my server, would I try to patch and repair and keep the server going? or would I format the box, and rebuild it?

        Funny, I had just this issue. The option taken was to watch and learn, then act.

        Could've gone your way, taken the server down, spent a few days rebuilding (restoring from backups wouldn't have been an option for me, I can't say if there was an earlier intrusion that'd let the miscreants back in), restored the data and databases, and (at a huge cost to the company) had a nice clean server back up.

        Instead the issue turned out to be the password-equipped boss having installed a torrent client, and we resolved the issue without downtime (traffic spike, connected IP's from Ukraine (and other places but they stood out to me for some reason). I could've done the oft-suggested "nuke from orbit and rebuild", but there's a lot of costs involved in that. When it means people can't do their jobs while waiting....

        Not every business that has a few servers has large fault-tolerant server farms, not all can even afford the power to run such things let alone hardware, IT staff etc etc

        And yes, had I seen any signs of actual intrusion we would've been looking to rebuild ASAP (still got monitoring windows open here as I'm happy all is well, but I'm going to keep a weather-eye on it for a while longer yet)

        [Icon coz I suspect that when he and the wife discuss things at home tonight, well....]

  4. jake Silver badge

    Linus showed extreme tolerance, as usual.

    I'd have really lit into the fucking idiots.

    1. wallaby

      Re: Linus showed extreme tolerance, as usual.

      Linus eclipses all the worlds f*cking morons

      nobody could ever hope to rise to such levels of advanced muppetry

      1. Uffish

        Re: "rise to such levels of advanced muppetry".

        You are right I suppose, I couldn’t hope to rise to such levels as L.T. inhabits - but I can dream can't I?

      2. Kiwi
        WTF?

        Re: Linus showed extreme tolerance, as usual.

        nobody could ever hope to rise to such levels of advanced muppetry

        Linus's OS1 Usage : Most devices globally.

        Yours? In fact, how many people around the world even know your name including all your pseudonyms?

        1 yes yes I know he didn't write the whole thing from scratch himself, but he did get it started, and was a good enough marketeer that others joined him in his Noble CauseTM

  5. Mark 85
    Thumb Up

    If only all project management types were like Linus but then they would have to be technically competent. Technical competence always trumps politically correct/corporate ladder climbing. \

    *Or it should anyway.

    1. HmmmYes

      'Technical competence always trumps politically correct/corporate ladder climbing.'

      I see you're new to the world or work +business....

      1. Anonymous Coward
        Anonymous Coward

        I once had a director like Linus - business head, not very technical person. It turns out that business people have their share of knowledge, too. It took a little while to get used to him, especially after I found myself on the receiving end more than once. Eventually, I started to learn from him. And learn. And then learn some more. Now I miss him a lot, after I moved elsewhere - and the only fault I can put on him is that he did not enforce the discipline among the developers enough.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like