The biggest problem I see with this article is that the author is talking about “Linux” pretty generically. I guess from context they mean specifically “Linux on the Desktop”, but even still that is a very broad and diverse category to make such declarative statements about.
Just starting off in section one, he compares Desktop Linux to ChromeOS. While ChromeOS is not typically considered a Linux Distro, it actually does use the Linux kernel and shares quite a bit of userspace in common.
If strict sandboxing is your idea of security, you’d be hard pressed to do better than Qubes, a distro that is all about strictly sandboxing your applications and data.
Support and tooling for sandboxing applications varies by distro, with most being very permissive in the name of convenience, but several (particularly those aimed at professional, enterprise use) supporting some very strong sandboxing features by default.
The author cherrypicks two examples that are easily skewered, but fails to mention SELinux at all.
In the non-desktop space, containers have all but become the de-facto standard. So hosted applications are strongly sandboxed by default.
Section 2 is entirely misguided. First of all, the is no evidence that the choice of programming language has any impact of the overall security of an application. In fact, the most recent research I’ve seen suggests that there is no correlation at all between the language an application is written in and the number of severity of vulnerabilities found in that application.
Furthermore, Window and Mac “moving towards” Rust and Swift is basically nonsense. The vast majority of both operating systems, including the kernels of each, are still written in C++ and C. Nobody is going back and re-writing Microsoft Office in Rust to take advantage from memory protections.
The thing that all three (Windows, Mac, and Linux) ARE doing is implementing memory address protections in their kernels that apply to all of userspace, regardless of the language applications are programmed in.
Section 3, he blasts Linux’s kernel, then admits that Windows does no better. Even worse, Windows relies on code signing to protect users from malicious kernel code (third party device drivers). The problem is that Nvidia’s signing keys were leaked by hackers, and ever since malware authors have been using them to sign exploits that Windows systems trust by default.
Linux users rarely need to download and install third-party kernel code (like device drivers) and so kernels can be compiled with module loading disabled and render this entire attack vector moot.
Skipping to the end, in Section 8 the author seems to willfully misrepresent some of the other security researchers they cite as agreeing with their views. For instance, Joanna’s praise of Mac OSX could also be seen as throwing shade at them for adopting features that QubesOS had developed almost a decade prior.
All this to say that yes, Linux security is a mess. Just as Linux audio is a mess. Linux anything is a mess. Linux is messy, that’s just what it is.
Windows and OS X and ChromeOS have messes and warts of their own. The difference is that with Linux, at least you can choose to make it your mess. With Windows, OS X, and ChromeOS, you’re pretty much stuck with the mess you’re given.
I’ve been using and developing on Linux for about two decades now, with a persistent focus on security. I can acknowledge that there’s plenty of room for improvement. However I don’t agree with the author’s assertions that Linux itself is lagging behind the commercial alternatives. If they’re looking only at Ubuntu and other “bridge” distros (the ones that cater to people switching from Windows or OS X) then it will seem more dire than what I would consider typical for more security-focused distros.