It is probably a good thing that the US has a strong security community, especially since they write a good chunk of the software that takes up most of the CPU time.
The other option would be government funded hackers in places like China finding security holes in US made software and ensuring they remain undisclosed (to anyone outside Chinese govt) to maintain an advantage.
Not meaning to pick on China in particular here, would it be any better if the US govt was the only ones to know this stuff?
Do you think NSA and CIA doesn't do the same? They even buy zero day exploits from hackers so they can use them themselves against other countries. How do you think they made Flame work? And these guys are "Government sponsored hackers" too. In fact they are even hiring for this right now.
That's sort of my point. If there isn't aren't independent security researchers who make a stink about security issues thus causing them to be fixed then these government organisations will be the only ones with knowledge.
Yeah I think you can't argue that malicious hackers won't find it and make it far worse if we removed the non-malicious hackers. It's obvious that hacking would be far worse without security researchers finding and disclosing bugs that can be fixed.
What Linus is describing seems to be more along the lines of 'public approval'. When a big new hack is found, the researcher who finds the hack is treated like a rock star and given a ton of praise, and the company/coder responsible for the security bug gets a lot of dirt thrown their way. "How can you be so stupid as to let customer's data be taken?!" - that kind of thing. As Linus says, these bugs are generally very complex things and people obviously make mistakes.
Might be better for the community in general to try and not treat security researchers/hackers with so much awe? Moot point at any rate, it's just human nature - not going to be able to change that. People will always jump on this kind of thing (strikers in soccer get far more awe than defenders, even though both are equally valuable to the team).
That's true, there's a lot of ego in this. Just watch any DEFCON talk for examples. OTOH nobody wants to be the idiot who wrote the insecure code or don't want their company shamed.
This can help developers persuade their bosses to allow them to spend the necessary time to diligently check their work for security issues.
Part of this is probably also the holywood perpetrated stereotype of the "hacker" as some evil/good mastermind who can destroy military infrastructure by typing a few commands on his terminal. This is seen as sexier than being some guy who writes code for a living.
"... the misdeeds of security industry and security researchers who become famous by uncovering the mistakes that people like Torvalds have missed." (from the article)
That's kind of what he's talking about though, isn't it? That idiot who let the vulnerable code go live to half the world in the case of a Linux vulnerability would be Linus. You'd have to argue pretty well to be able to convince anyone that Linus is an idiot though! Security (especially at a kernel level) is likely far too complex to be just a checklist of "don't do this" or "do this" and it magically becomes secure.
The other option would be government funded hackers in places like China finding security holes in US made software and ensuring they remain undisclosed (to anyone outside Chinese govt) to maintain an advantage.
Not meaning to pick on China in particular here, would it be any better if the US govt was the only ones to know this stuff?