Net of Insecurity: The kernel of the argument – Washington Post
“In 1992,” he said, “I was like, ‘Wow, it does everything I wanted it to do. What now?’ ”
Torvalds had little choice but to become the general of an unruly volunteer army. As the kernel grew from 10,000 lines of code to 19 million, Torvalds created an elaborate and remarkably functional system that, every couple of months, offered a free update of the Linux kernel to anyone who wanted it.
Based on the kernel, others then tailored the operating systems to their own tastes and purposes, adding even more lines of code that collectively became fully fledged “distributions” of Linux that ran on various types of computers. The price of admission to this elaborate process was faith in Torvalds, although some went the extra step of making some kind of offering to their hero: free computer gear, company T-shirts or penguin dolls (because a squat, cheerful-looking aquatic waterfowl — usually sitting lazily on its butt — was the symbol of Linux).
Years of spinning such devotion into well-honed computer code has shaped a development process that is gradual and evolutionary. The goal is to fix problems and adapt to new hardware, while never causing malfunctions. This idea is enshrined, somewhat antiseptically, in Torvalds’s often-stated prohibition against what he calls “breaking user space” — essentially, causing something that a user depends on to stop working. But there is nothing antiseptic about his reaction when somebody violates this cardinal rule.
One notorious exchange came in December 2012, when Torvalds publicly raged to a regular Linux contributor who had proposed a flawed patch: “WE DO NOT BREAK USERSPACE! Seriously. How hard is this rule to understand? We particularly don’t break user space with TOTAL CRAP. I’m angry, because your whole email was so _horribly_ wrong, and the patch that broke things was so obviously crap.”
Torvalds sometimes expresses regret about his rhetorical excesses, but the emotion that boils up in these moments is unmistakably real, fueled by his fierce sense of guardianship over Linux.
The effect of Torvalds’s approach to managing the kernel — defensive, gradualist, sometimes cranky — chilled debate about the security of Linux even as it became a bigger, richer target for hackers. The result, critics argue, is that while Linux in its early days was widely considered a safer choice than Windows or other commercial operating systems, the edge has dwindled and perhaps disappeared.
“While I don’t think that the Linux kernel has a terrible track record, it’s certainly much worse than a lot of people would like it to be,” said Matthew Garrett, principal security engineer for CoreOS, a San Francisco company that produces an operating system based on Linux. At a time when research into protecting software has grown increasingly sophisticated, Garrett said, “very little of that research has been incorporated into Linux.”
Versions of Linux have proved vulnerable to some of the most serious bugs in recent years, including Heartbleed and Shellshock. AshleyMadison.com, the site that facilitates extramarital affairs and suffered an embarrassing data breach in July, was reportedly running Linux on its servers, as do many companies.
Those problems did not involve the kernel itself, but experts say the kernel has become a popular target for hackers building “botnets,” giant networks of computers that can be organized to attack targets. Experts also say that government spies — and the companies that sell them surveillance tools — have turned their attention to the kernel as Linux has spread.
The Security Intelligence Response Team for Akamai, a leading Internet content delivery company, spoke bluntly on the rising vulnerability of Linux in September when it announced the discovery of a massive botnet that attacked up to 20 targets worldwide each day.
“A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time,” Akamai’s security team wrote. But the sharply rising popularity of Linux has meant “the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly.”
But harden how?