FYI Android apps don't get total permissions to do whatever the fuck they want on installation, they can only place themselves in /data partitions or other places that can be nuked also by the phone's user, and if the system rejects some of their requirements they either can't be installed or don't work afterwards.

Can I remind you that to install some root-only stuff I need to reboot into recovery and use that unsecured environment to install things? Because there is no way in hell that the OS lets me do it from within.

Android is a bit more extreme than that, they are actually using SELinux policies to lock down stuff while even more "safe" distros with Apparmor and SELinux have laughably weak policies.
Also, that still does not solve the issue of root access on install.

Is more unstable than Win XP pre-SP1, nuff said.

I'm talking of "linux distros", not of "linux".

I demand proof. Please show me some proof of this. I've yet to see ANYONE complain about true malware attacks on Android on the internet (most stuff is dumb shit that spams popups but all apps can do that too anyway) on scales that makes that anywhere as bad as it is on Windows.

Only a goddamn retard would even think about targeting Linux desktop as it's tiny marketshare. Hell even MacOS is "secure" because it's not really a target even if Apple's security has always been meh on average. Linux server on the other hand... that's another thing alltogether.

Bullshit products always existed, they are not a good reason to say that the whole category is bad. Windows won't last a month with a normal user without a decent AV software.

Sure my gaming rig has no AV, but it's a PURE gaming rig, so it has games, Steam, Teamviewer, and nothing else AT ALL, and I never use it to browse the internet.

Let's not open this can of worms please. /home is a big fucking place and you have configs all over, it's just hidden by default so you don't panic, but it's a fucking mess. Some are in a folder, some are in .config folder, some are wherever else.

Do you never install or update applications in your Linux system? Because that is 1st source of infection regardless of OS, as installation/update gives them root access. If on windows applications didn't need admin access to be installed you'd be cutting down standard-issue malware stuff by A LOT.

Since the main defence of Linux desktop currently is its low marketshare, it might be a good idea to get a decently safer system if it wants to expand.

Meanwhile, Windows has added crashing as a service!

Firejail does exactly these things.

Then don't give it the root pw. You should be able to install a proprietary program into a user's home dir, all done inside a sandbox to limit access to just the installation directory. If it doesn't give you that option, you can always try fooling it with overlayfs, or just work in a container.

Because defaults are there to work for most things but to be changed when needed.

I'm not sure how this is all that debatable - Windows is taking certain security measures that most Linux distributions are not. ASLR in particular seems like something that should have been enabled everywhere a long time ago.

Crashing as a service? About time they caught up with Linux on that feature.

Alt + SysRq + c = Kernel panic

Should maybe mention it's disabled by default. (https://en.wikipedia.org/wiki/Magic_SysRq_key)

While it may not require root to install, it require root access to RUN the app every time it is executed...

and then make a private directory for everything you want to run that has Internet access. Very easy to do, doesn't generally change the functionality of the apps (other than open/save paths) and significantly restricts possible attack vectors and the damage that can be done. Can install applications under ~/opt/<whatever> and use a pre-exec hook script to bind mount that directory into the firejail private directory mounted R/O with bindfs.

All application launches can be done without root, without custom /etc/fuse.conf configuration, etc. The application thinks the user home directory is completely empty except for its own files and possibly the program file (which is read-only). No suid things can be executed, generally firejail's default profiles will prevent access (and visibility) to files under /usr/bin that it doesn't require, various unsafe Linux kernel capabilities are blocked, etc. I've been using it for a long time now with great success.

Not installed by default obviously, but the packages are in the Stretch repo so it's only a command away.

I have to say, I agree a bit about Android. In my case, I really liked the ability in CyanogenMod to easily change the permissions of an app. A quick example of this, albeit not for security, was one (proprietary) app played a sound when started, but I didn't like that, especially since I have the one-application-playing-a-sound-at-a-time policy set up, so I removed audio from the app permissions and it never bothered me again. Having sane permissions per app set by packagers, and easily changeable by the admin, would be great

I will look at this firejail, seems interesting!

Firejail is really good. I heartily recommend it :+1:

And yet, Windows is currently having an invasion of "Ransomware".
You open a JavaScript file on Windows, it will run it automatically - infected.
You download an attachment, it can be executed by default - infected.
You open Word or Excel file(.xls, .xlsm), Visual Basic code can be executed automatically - infected.

By design it has more serious flaws that are very easy to exploit.