I’ve had a hot take for a while now that Linux isn’t “more secure” than other operating systems like a lot of evangelists will claim. I think people get this impression because the user base for desktop Linux has been small enough that no one was writing malware targeted at us.

Unix’s security model was developed in a world where the primary concern was protecting the system from users and protecting users from each other. It wasn’t really designed for single-user systems where the main concern is protecting the user from their own applications.

And that is why all traffic facing servers are running windows and macos.

security you don't understand is security you don't have. windows' exploit mitigations don't work because the average user doesn't understand them and can easily be guided into disabling them.

the weakest attack surface is the stupidity of the user and that's not gonna change however much you try to make your os secure

This is a Qubes ad.

And that's fine, but why Qubes insists it's not Linux while booting the Linux kernel, running xen, using xfce as the primary desktop, and being listed on disteowatch seems like a weird marketing choice to me. Your primary audience knows what Linux is, so what is the motivation behind claiming "Qubes is not Linux"?

I highly value Madaidan's input on the matter and also their work on projects such as Kicksecure and Whonix. Furthermore, it's clear that Desktop Linux hasn't been able to combat all the pain points that were mentioned in the article. However, we've definitely come a long way since and there's lot to be optimistic about; secureblue to name a thriving project.

But, while I appreciate how the article continues to draw awareness to the fact that Desktop Linux isn't as secure as some like to think, the write-up is ultimately bound to be (severely) outdated at some point. And, perhaps, we might already be past the point in which it does more harm than good...

Anyhow, I'd like to take this opportunity to promote a platform that actually continues to deliver up-to-date articles about security on Linux: https://privsec.dev/posts/linux/

As someone who did use this guide as an exercise in making my setup as secure as it could be without changing distros or hampering productivity, a few words of advice:

• Make a threat model for yourself before diving in and apply the mitigations judiciously. It's not exactly a checklist, just use something secureblue or Qubes if you are really paranoid about your computer.
• The majority of the mitigations 'just work' and have no noticeable impact on performance, battery life, or compatibility.
• If your CPU/Memory performance widget breaks, dial back on the ptrace options
• If Flatpaks fail to launch, dial back on the namespace options
• Check back every so often because some of the options end up having unwanted side-effects with updates. See the preamble in boot parameters, where a change in Linux made in 2021 (which finally made it into Debian Stable this year) made the slub_debug mitigation actually worsen security.

OpenBSD?

Sorry man, your going to get down voted like crazy just because you posted something bad about Linux.

Good info thoughm

The thing about most default configs of any OS is that user storage is largely accessable to all apps. True of Linux, Android. Windows, ...

Graphene has options to restrict that but you have to set it up that way. Android also has App sandboxing for app data.

Thinking through the threat model of course is always good as is hardening. All security is porous. Linux is fine generally. If one is exposing services on the public net it is not clear that any OS or software is sufficiently secure, that takes constant effort in terms of monitoring and management.