Security People =? “f*cking morons”
Linus Torvalds — you know, that Linux guy — just wrote,
Some security people have scoffed at me when I say that security
problems are primarily “just bugs”.Those security people are f*cking morons.
Because honestly, the kind of security person who doesn’t accept that
security problems are primarily just bugs, I don’t want to work with.
If you don’t see your job as “debugging first”, I’m simply not
interested.
That is pretty serious language there. And to his point, I say, “Amen, brother!”
Linus is 100% correct. Any security problem is equivalent to a system operating in a manner that the user finds undesirable. If it were not undesirable, then the system behavior would be deemed an acceptable use.
Many people think that those cracker hackers out there are some kind of black magic voodoo witchdoctors who transport their consciousness into the computer, cajoling it into doing their bidding. I am sorry to break the myth, but a cracker hacker is more like a cockroach scuttling around in the darkness, sniffing around in every corner looking for dropped food.
Cracking a system essentially is slow, boring, bug hunting.
There are two major problems we face in cybersecurity. First, organizations take delivery of systems that already have bugs in them. (I’m looking at you, Microsoft.) Second, organizations play Lego with their systems over the years, eventually cobbling together some kind of Rube Goldberg junkyard monster that is inherently flawed and unstable.
The first problem can be addressed with diligent vendors and responsible security researchers who report their findings. The second problem is an artifact of an unrelenting quest for profit, without understanding the nature of information technology. I have seen so many good IT guys practically beg for tiny amounts of funds to fix, refresh, or modernize their systems, only to be told that their cost center was not important enough to justify the funds. Technical debt is real and it will eat your lunch if you are not careful.
Yes, security problems are bugs, and preventative maintenance is important for any system you depend on, including IT systems.
