От: | Sharov | ||
Дата: | 01.12.17 19:16 | ||
Оценка: |
Linus tells Google security engineers what he really thinks about them: Some security people have
scoffed at me when I say that security problems are primarily "just bugs". Those security people
are f*cking morons. Because honestly, the kind of security person who doesn't accept that security
problems are primarily just bugs, I don't want to work with. If you don't see your job as "debugging first",
I'm simply not interested. So I think the hardening project needs to really take a good look at
itself in the mirror. Because the primary focus should be "debugging". The primary focus
should be "let's make sure the kernel released in a year is better than the one released today".
And the primary focus right now seems to be "let's kill things for bugs". That's wrong.
I think this just comes from a different philosophy behind security at Google. At Google, security
bugs are not just bugs. They're the most important type of bugs imaginable, because a single security
bug might be the only thing stopping a hacker from accessing user data. You want Google engineers obsessing
over security bugs. It's for your own protection. A lot of code at Google is written in such a way that if a
bug with security implications occurs, it immediately crashes the program. The goal is that if there's eve
n the slightest chance that someone found a vulnerability, their chances of exploiting it are minimized.
От: | vmpire | ||
Дата: | 04.12.17 10:02 | ||
Оценка: |
С формальной точки зрения он прав, баг — это нежелательное поведение системы, а значит, уязвимость — это баг.S>Linus tells Google security engineers what he really thinks about them: Some security people have
S>scoffed at me when I say that security problems are primarily "just bugs". Those security people
S>are f*cking morons. Because honestly, the kind of security person who doesn't accept that security
S>problems are primarily just bugs, I don't want to work with. If you don't see your job as "debugging first",
S> I'm simply not interested. So I think the hardening project needs to really take a good look at
S>itself in the mirror. Because the primary focus should be "debugging". The primary focus
S>should be "let's make sure the kernel released in a year is better than the one released today".
S> And the primary focus right now seems to be "let's kill things for bugs". That's wrong.
От: | Константин Б. | ||
Дата: | 04.01.18 13:49 | ||
Оценка: |