Washington Post questions Linux kernel security
The Washington Post has been doing a series on the vulnerabilities of the Internet. Part five of the series focuses on Linus Torvalds and the state of security in the Linux kernel. Does Linus need to focus more on security?
Craig Timberg reports for The Washington Post:
But while Linux is fast, flexible and free, a growing chorus of critics warn that it has security weaknesses that could be fixed but haven’t been. Worse, as Internet security has surged as a subject of international concern, Torvalds has engaged in an occasionally profane standoff with experts on the subject. One group he has dismissed as “masturbating monkeys.”
The rift between Torvalds and security experts is a particular source of worry for those who see Linux becoming the dominant operating system at a time when technology is blurring the borders between the online and offline worlds. Much as Windows long was the standard for personal computers, Linux runs on most of the Internet’s servers.
Over several hours of conversation, Torvalds, 45, disputed suggestions that security is not important to him or to Linux, but he acknowledged being “at odds” with some security experts. His broader message was this: Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs. This is a process, Torvalds suggested, poorly understood by his critics.
When the interviewer asked whether Linux — designed in an era before hacking had become a major criminal enterprise, a tool of war and constant threat to the privacy of billions of people — was due for a security overhaul after 24 years, Torvalds replied, “You’re making sense, and you may even be right.”
Readers of The Washington Post shared their thoughts about Linux and security:
Ccppcsharp: ”Torvalds would never treat the security of his home as casually as he does the security of Linux.”
Altizar: ”I have to say Linus Torvalds is right. No matter how many security features, walls, tunnels, etc you add. There are just that many more loop holes and breaches added that people can go through to bypass them. The true core should be the fastest, most optimal, and stable. If you want security, you can add it to everything before it gets to the computer. cause if you add it to the core, you do nothing but slow it down and get zero additional benefits.”
Rmctwo: ”Yes, Linux did come from Unix and both are trash.”
Roxe: ”As long as there are processes, semaphores, threads, and execution paths between the kernel and the rest of the OS, just baking in security code is never the right answer. The problem is the kernel and the rest of the OS all depend on memory, and the stack and heap memory is where the majority of exploits work at. There are some complex metamorphic malware that can easily hide its memory footprint and fool the best security researchers in the world (even though the "experts" claim otherwise). ”
Art Schwartz: ”The Linux security issues must be considered against the backdrop of the filthy-rich, hole-ridden "operating system" called Windows. Securing the kernel is equivalent to circling the heart with prophylaxis and then living a self destroying life style - no exercise, calorie laden diet, etc. Torvalds, as usual, is dead right.”
Dmarney: ”My take on all this is that it is a great mistake to think of security as one thing. Security is a mind-set that gets expressed in many layers of processes, techniques, and most importantly, human policies. What Linus is saying is that the kernel is just one part among many, and the absolutely best contribution we can make to a more secure system is to have the kernel be well-written.”
Francois: ”Security barriers need to be built into multiple layers of defense in every level, including the microprocessor, motherboard, hypervisor, OS kernel, firewall software, network hardware, and personal prudence. Only when the failure of no single one of these can result in breach can you be safe. ”
Skeptic1: ”This article is pretty unbalanced. It paints Professor Torvalds as uncaring about security. And it almost exclusively quotes security experts who have something to sell. ”
Hanging Chad: ”Linux can be quite secure, but requires knowledge and skill to maintain. Most IT administrators are low paid babysitters, who have no clue how to use the vi editor, write scripts or recompile a new kernel.”
Barraclough: ”Good for Linus. The industry that calls itself "IT security" is a pure racket--filled with charlatans, paranoid schizophrenics and outright frauds. The amount of money that's been wasted on these crooks to maintain the fiction of "taking security seriously" is simply unfathomable.”