Linus and the “Security Circus”

Ladeeeeez and gentlemen!

Well, methinks Linus is going to be “security villain of the week” for a few days again.
Problem is, he’s actually got a good point.  Unfortunately, his use of “security circus” is going to be read as the whole security community, when he is actually referring to the lunatic fringes at both ends of the “disclosure” spectrum.  There are those who still cling to the outdated and disproved dogma of “security by obscurity,” and there are the self-promoters (with egos the size of the MS Windows Vista source code) who are eager to trumpet any little flaw they find as a “security” vulnerability.  Those of us in the trenches have been trying to keep vendors and consultants from using these arguments on the uninformed for years.  Linus is saying the same thing.  He’s as frustrated as we are, and for the same reasons.  He just uses more sensational phrases.

  • Aviram

    Indeed the key is to understand that both ends of the spectrum are equally bad.

    Maybe each of us needs to find our own ‘acceptable’ disclosure policy that is not in those extremes.