From Heartbleed to Shellshock, the world of open-source computing has faced several high-profile security breaches in the last year. What are open-source developers – whose code powers many of the servers and websites that store millions of people’s personal information – doing about them? That’s the question Linus Torvalds, lead Linux kernel developer, helped answer a few days ago.
Torvalds is the self-proclaimed “benevolent dictator” of Linux, the operating system kernel that forms the core of the open-source platforms that run many of the world’s Web, email and cloud storage servers, among other devices. Although Linux itself has not suffered any major security flaws recently, the security holes that hackers have exploited in other open-source code bases have raised questions about what Torvalds and his team of Linux programmers are doing to make sure Linux isn’t the vector for the next attack that leads to loss of personal data on a massive scale.
Asked about his security strategy for Linux at the recent LinuxCon conference in Seattle, Torvalds took a somewhat different approach from many leaders of major software projects. Rather than pretending that flawless security is a real-world possibility, he said, “The only real solution to security is to admit that bugs happen.”
He added, “Anyone that thinks that we’ll be entirely secure is just not realistic; we’ll always have issues.”
But that doesn’t mean all hope is lost, Torvalds said. While recognizing that no code is perfect from a privacy and security perspective, developers should work to erect as many barriers as possible to separate hackers from personal data.
The key to handling security vulnerabilities, according to Torvalds, is “to mitigate them by having multiple layers, so if you have a hole in one component, the next layer will catch the issue.”
The frankness with which Torvalds spoke about security and privacy problems is notable, given that many other programmers and corporate directors of IT security continue to dangle promises before the public that hacks can be totally prevented. That’s simply not a guarantee anyone can make.
Admitting as much, and explaining what developers should do to mitigate the problem even if they can’t solve it entirely, is a healthy step forward in the quest to move beyond the seemingly never-ending cycle of security and privacy breaches.