SoylentNews is people
SoylentNews
Linux overlord Linus Torvalds has offered some very choice words about different approaches security, during a discussion about whitelisting features proposed for version 4.15 of the Linux kernel. Torvalds' ire was directed at open software aficionado and member of Google's Pixel security team Kees Cook, who he has previously accused of idiocy. Cook earned this round of shoutiness after he posted a request to "Please pull these hardened usercopy changes for v4.15-rc1."
[...] Torvalds has long been unafraid to express himself in whatever language he chooses on the kernel and has earned criticism for allowing it to become a toxic workplace. He's shrugged off those accusations with an argument that his strong language is not personal, as he is defending Linux rather than criticising individuals. On this occasion his strong language is directed at a team and Cook's approach to security, rather than directly at Cook himself. It's still a nasty lot of language to have directed at anyone.
Some 'security people are f*cking morons' says Linus Torvalds
[Reference]: [GIT PULL] usercopy whitelisting for v4.15-rc1
[Linus' Response]: Re: [GIT PULL] usercopy whitelisting for v4.15-rc1
(Score: 1, Insightful) by Anonymous Coward on Tuesday November 21 2017, @05:27PM
The fundamental problem is that "security" (of some object) almost always comes at the expense of "availability" of that same object. Here "security" is a measure of how difficult unauthorized use of the object is, and "availability" is how easy authorized use is. The value of the object being protected has to be considered to find a good tradeoff on these axes.
For example, suppose I have a snow shovel which I use to clear snow but I don't like my neighbours to use it.
At one end of the spectrum, I could leave my snow shovel leaning against the wall next to the path I need to clear. This is very high availability: I just pick up the shovel and start shoveling. But very low security: anyone else can do that too, taking my shovel and using it for themselves.
At the other end of the spectrum, I could leave my shovel locked in a vault deep underground in another part of the country, with armed guards and the like. This is very high security, nobody will take my shovel. But very low availability: using the shovel now requires planning in advance and it is probably not possible to retrieve it on the days it is most needed. And if I misplace the key to the vault, the shovel is lost forever anyway.
Most people quite reasonably value availability more than they value security, most of the time, because the value of securing things is usually low compared to the cost of losing access to them.