A new Mindcraft moment?

The state of 'software security industry' is a f-ng disaster. Failure of the highest order. There is massive amounts of money that is going into 'cyber security', but it's usually spent on government compliance and audit efforts. This means instead of actually putting effort into correcting issues and mitigating future problems, the majority of the effort goes into taking existing applications and making them conform to committee-driven guidelines with the minimal amount of effort and changes.

Some level of regulation and standardization is absolutely needed, but lay people are clueless and are completely unable to discern the difference between somebody who has valuable experience versus some company that has spent millions on slick marketing and 'native advertising' on large websites and computer magazines. The people with the money unfortunately only have their own judgment to rely on when buying into 'cyber security'.

> Those spilling our rare money/resources on ready-made useless tools should get the bad press they deserve.

There is no such thing as 'our rare money/resources'. You have your money, I have mine. Money being spent by some corporation like Redhat is their money. Money being spent by governments is the government's money. (you, literally, have far more control in how Walmart spends it's money then over what your government does with their's)

> This is especially worrying as cyber "defense" initiatives look more and more like the usual idustrial projects aimed at producing weapons or intelligence systems. Furthermore, bad useless weapons, because they are only working against our very vulnerable current systems; and bad intelligence systems as even basic school-level encryption scares them down to useless.

Having secure software with strong encryption mechanisms in the hands of the public runs counter to the interests of most major governments. Governments, like any other for-profit organization, are primarily interested in self-preservation. Money spent on drone initiatives or banking auditing/oversight regulation compliance is FAR more valuable to them then trying to help the public have a secure mechanism for making phone calls. Especially when those secure mechanisms interfere with data collection efforts.

Unfortunately you/I/us cannot depend on some magical benefactor with deep pockets to sweep in and make Linux better. It's just not going to happen.

Corporations like Redhat have been massively beneficial to spending resources to make Linux kernel more capable.. however they are driven by a the need to turn a profit, which means they need to cater directly to the the sort of requirements established by their customer base. Customers for EL tend to be much more focused on reducing costs associated with administration and software development then security at the low-level OS.

Enterprise Linux customers tend to rely on physical, human policy, and network security to protect their 'soft' interiors from being exposed to external threats.. assuming (rightly) that there is very little they can do to actually harden their systems. In fact when the choice comes between security vs convenience I am sure that most customers will happily defeat or strip out any security mechanisms introduced into Linux.

On top of that when most Enterprise software is extremely bad. So much so that 10 hours spent on improving a web front-end will yield more real-world security benefits then a 1000 hours spent on Linux kernel bugs for most businesses.

Even for 'normal' Linux users a security bug in their Firefox's NAPI flash plugin is far more devastating and poses a massively higher risk then a obscure Linux kernel buffer over flow problem. It's just not really important for attackers to get 'root' to get access to the important information... generally all of which is contained in a single user account.

Ultimately it's up to individuals like you and myself to put the effort and money into improving Linux security. For both ourselves and other people.