http://theories.darwinsys.com:80/categories/security/ Call it a Blog if you like -- Ian en Ian Darwin Sun, 19 Oct 2008 19:23:00 GMT Pebble (http://pebble.sourceforge.net) http://backend.userland.com/rss http://theories.darwinsys.com:80/2008/10/18/1224362460000.html &quot;Airport security in America is a sham&mdash;&ldquo;security theater&rdquo; designed to make travelers feel better and catch stupid terrorists. Smart ones can get through security with fake boarding passes and all manner of prohibited items&mdash;as our correspondent did with ease...&quot;<br /> <br /> There's nothing I can add to <a href="http://www.theatlantic.com/doc/200811/airport-security">this</a>. While you're there, check the other security-related articles on the site. Politics Security http://theories.darwinsys.com:80/2008/10/18/1224362460000.html#comments http://theories.darwinsys.com:80/2008/10/18/1224362460000.html Sat, 18 Oct 2008 20:41:00 GMT http://theories.darwinsys.com:80/2008/07/16/1216230840000.html Linux founder Linus Torvalds makes an amazing claim about Linux security (or not) on gmane.kernel.org (I'm not even gonna help <a href="http://en.wikipedia.org/wiki/Pagerank">pagerank</a> that article by linking to it; search the newsgroup name and the date 2008-07-08). Speaking about security fixes, he says:<br /> <blockquote>... It makes &quot;heroes&quot; out of security people, as if the people who [just]<br /> fix normal bugs aren't as important.<br /> </blockquote> <blockquote>In fact, all the boring normal bugs are _<u>way</u>_ more important, just <br /> because there's a lot more of them. I don't think some spectacular <br /> security hole should be glorified or cared about as being any <br /> more &quot;special&quot; than a random spectacular crash due to bad locking.<br /> </blockquote> <blockquote>Security people are often the black-and-white kind of people that I <br /> can't stand. I think the OpenBSD crowd is a bunch of masturbating <br /> monkeys, in that they make such a big deal about concentrating <br /> on security to the point where they pretty much admit that nothing <br /> else matters to them.</blockquote> Normal bugs are &quot;way more important&quot; than security to Linus, the guy in charge of Linux? I'm sure gonna think twice before running Linux on anything connected to the Internet. If he'd actually read the <a href="http://www.openbsd.org/security.html">OpenBSD security policy</a> document, or any of our <a href="http://www.openbsd.org/papers/">presentations at conferences over the years</a>, rather than just calling silly names, he'd know that OpenBSD works on ordinary bugs as a way of preventing security bugs. But I guess it's easier to sit at home pulling on your tool chain and calling people names, than to actually acquaint yourself with the facts. Well done, Linus. Next time I won't even bother recommending Linux as a second choice after OpenBSD.<br /> <br /> P.S. As if to prove the point, the next day, security mailing lists were full of this:<br /> <blockquote>Wei Wang discovered that the ASN.1 decoding routines in CIFS and <br /> SNMP NAT did not correctly handle certain length values. Remote <br /> attackers could exploit this to execute arbitrary code or crash<br /> the system. (CVE-2008-1673) <br /> </blockquote>So they have CIFS and SNMP in the Linux kernel, and they haven't checked for overflows? 'Nuff said!<br /> <br /> P.P.S: Apparently not enough said! It seems that the esteemed <a href="http://seclists.org/fulldisclosure/2008/Jul/0276.html">Mr. Torvalds is also implicated in a massive coverup of security bugs (aka attempted &quot;security through obscurity&quot;)</a>. Open Source Software OpenBSD Security http://theories.darwinsys.com:80/2008/07/16/1216230840000.html#comments http://theories.darwinsys.com:80/2008/07/16/1216230840000.html Wed, 16 Jul 2008 17:54:00 GMT