Linus Torvalds slammed a Google security expert about his approach to cybersecurity after a request to change the Linux kernel, saying some security professionals are 'f*cking morons.' Credit: Krd (Own work) Proposed changes to version 4.15 of the Linux kernel resulted in Linux creator Linus Torvalds admitting that he doesn’t “trust security people to do sane things” and some security professionals, in Torvalds’ opinion, are just “f*cking morons.”This round of profanity and insults started after Kees Cook, who works on security for Google Pixel, submitted a pull request on the Linux kernel mailing list. Kees asked Torvalds to “please pull these hardened usercopy changes for v4.15-rc1” which “significantly narrows the areas of memory that can be copied to/from userspace in the face of usercopy bugs by adding explicit whitelisting for slab cache regions.”“This has lived in -next for quite some time without major problems, but there were some late-discovered missing whitelists, so a fallback mode was added just to make sure we don’t break anything,” Cook added. “I expect to remove the fallback mode in a release or two.” That alone didn’t set Torvalds’ temper ticking too much, saying he didn’t have the time to spend on it. The proposed changes were “scary” because they “touch core stuff” in the kernel, with Torvalds adding, “I don’t trust security people to do sane things.” In short, Torvalds believes “hardening” results in bugs because the changes aren’t thoroughly tested. People suggesting such changes, he said, believe “security is so important that nothing else matters.”Yet that wasn’t the end of it, as Red Hat software engineer and KVM maintainer Paolo Bonzini suggested it wasn’t too scary and urged Torvalds to do the pull request. Cook chimed in again, offering more details about why he introduced fallback mode: “With both kvm and sctp (ipv6) not noticed until late in the development cycle, I became much less satisfied it had gotten sufficient testing.”Unacceptable ‘security person’ behaviorTemper clearly ticking, Torvalds lit into Cook.“So honestly, this is the kind of completely unacceptable ‘security person’ behavior that we had with the original user access hardening too, and made that much more painful than it ever should have been,” he said.Oh, but Torvalds was just getting started.“IT IS NOT ACCEPTABLE when security people set magical new rules, and then make the kernel panic when those new rules are violated,” he said.“That is pure and utter b*llshit. We’ve had more than a quarter century _without_ those rules, you don’t then suddenly waltz in and say, ‘oh, everybody must do this, and if you haven’t, we will kill the kernel,’” he added. Torvalds went on to tell Cook that by introducing fallback mode late into the series, it showed “HOW INCREDIBLY BROKEN the series started out.”‘Security problems are just bugs’Torvalds then suggested that as a security person, Cook needed to repeat the mantra “security problems are just bugs. The important part about ‘just bugs’ is that you need to understand that the patches you then introduce for things like hardening are primarily for DEBUGGING.”Furthermore, Torvalds said, “As long as you see your hardening efforts primarily as a ‘let me kill the machine/process on bad behavior,’ I will stop taking those sh*t patches.”Although Torvalds said some security people have scoffed at him when he says “security problems are primarily ‘just bugs,’ those security people are f*cking morons.” In fact, if a security person won’t accept “that security problems are primarily just bugs,” then Torvalds doesn’t “want to work” with them.“If you don’t see your job as ‘debugging first,’ I’m simply not interested,” he said.“Stop this idiotic ‘kill on sight, ask questions later,’” he added. “Because it’s wrong.”Instead, Torvalds suggested: So the hardening efforts should instead _start_ from the standpoint of “let’s warn about what looks dangerous, and maybe in a _year_ when we’ve warned for a long time, and we are confident that we’ve actually caught all the normal cases, _then_ we can start taking more drastic measures.”Cook didn’t crawl in hole after the scathing rebuke, and he didn’t return like-for-like. He instead replied, “I think my main flaw in helping bring these defenses to the kernel has been thinking they can be fully tested during a single development cycle, and this mistake was made quite clear this cycle, which is why I adjusted the series like I did.”As for Torvalds’ claim that “people apparently didn’t learn a godd*mn thing” after the previous user mode access hardening,” Cook said, “Well, I’d like to think I did learn something, since I fixed up this series _before_ you yelled at me. :)”The Linux kernel is Torvalds’ baby, and he made it clear he is not interested in big changes — even for the sake of potential better security — without fully knowing what the blow back will be. This latest rant will most assuredly not be his last. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe