Technically speaking I'm always right and this is no exception, but I'll concede that on Win10 Home there is a "bug" (wink wink, nudge nudge ) that does not show the button for the offline account until you have written a bogus phone number (or Microsoft account) in the "online account" box.

After you have clicked on the "offline account" you can always press Next without writing a password.

See step 24 of this tutorial https://www.tenforums.com/tutorials/...dows-10-a.html

Someone's full of himself! I always thought you were one of the best posters on this forum, but talking big like that makes me like you less. And no, I'm not kidding.

or perhaps not completely serious

Me neither.

If Linux had the same market share it would have the same infection ercentage.
Just because Linux nags you 100 times a day with password popups it doesn't mean that it's more secure.
100% of the time it asks me for my password I give it because I want to run that program.
How is this different than having no password ?

Yes, but to the contrary of Windows, on Linux we are seeing sandboxing frameworks and kernel features that systemd, tools like firejail or application distribution like flatpak can use to isolate stuff.

It means someone didn't configure it correctly, but apart from that, it is limiting access to more stuff than Windows by default, which makes it more secure, at least from some attack vectors.

It makes sure that the user knows that the application is asking access to stuff it shouldn't, which for the older security model of "the user decides who is trustworthy" is better. For the more modern model it's a bit meh, but so does Windows anyway.

Of course if you don't configure the system to give your user/application access to the areas it should have, and resort to running everything as root then it's either your own or a distribution issue.

It may be as you say, but at the moment it is not possible to support it, since there is no proof of what you say.
Obviously a greater number of users, would also increase the "viruses" for Linux, however Windows and Gnu / linux are profoundly different, so it is not possible to support your thesis.
Obviously at the base of everything there is always the user, there are many users even in Linux who are careless, but what is unacceptable is that users complain about entering a password, when this is for their protection. What I mean is that there is little attention to security in general and Windows in these years has not helped to create a certain awareness of the subject.

I don't see what kind of proof you need, Xorg allows easy screen and keylogging to any application, the default "all applications run as the same user" allow any application to read whatever the hell it wants in the user's home folder where all configs are, and also access to any kind of the user's data, while installing applications still requires root privileges just as Windows.

Linux distros are still using the old Unix model of "single multiuser system" where you only need to protect the server OS from the users and each user from the other users, but that's far from the real use most Linux systems see nowadays.

As long as applications come from the distro repositories it's kind of OK, but you can't expect to have a large ecosystem of third party applications (also proprietary) that are curated and more or less guaranteed safe as the opensource ones in the distro's repos.

It's for the OS protection from unauthorized settings change, or to access shared system hardware. It does not really protect the user that much to firewall access to tty subsystem (serial dongles) behind root privileges or granting permission to your user for that.

Applications are run as your user by default and therefore can freely keelog and steal all your data without root privileges, no need for a password.

Servers commonly run their service applications under a different non-root user that has limited or no privilege at all (also usually no shell access), which makes them very safe as any breach in the application will be contained, but this is NOT done for user applications in a home PC setup.

If we want to talk about a half-way secure system we need a Wayland compositor (that is not a free-for-all keylog and screen scraping), and firejail https://github.com/netblue30/firejail (that sandboxes and enforces no access to stuff the application should NOT be able to look at, using Linux kernel features), or Flatpak with packages where the sandboxing is strict. But how many distros are like that yet? Not much.

Linux CAN and WILL be a very secure OS. For now it really isn't.

I imagine that given your competence, you will be working to improve safety.
It is not a novelty that Xorg has security problems, it has been known for a long time and it is trying to move to Wayland also for this reason.
If you take applications from the repositories it's ok! That's the point, but if you want to fill your shitty pc, then don't complain about security. Security and privacy are two different things, a malware confined to the home can be a problem for privacy, but not for security.

I'm a sysadmin, not a developer.

Then why are you saying you need proof to say Linux is not safe?
FYI, this is also true for Windows. "trusted application repositories" is just more of the same proof that the system is unable to defend itself so you must install only "good stuff".

The problem is that you cannot just use a few applications from a walled garden. Real professional applications and other odds and ends is not going to come from there, and this opens the door to potential malware and issues.

Bullshit. Modern OSes like Android allow you to do that without much issues.

Heh, "privacy" because anything serious has already migrated away.

All serious stuff (bank accounts for example) when run on PC requires dual-authentication through SMS or smartphone app BY LAW in the EU. They know the PC security is shit and can't trust it.
Meanwhile, the bank's app on Android only asks for a password or a fingerprint, and you can pay directly with a smartphone through NFC (Google Pay or Apple Pay)
Doing the same with a PC (even when you have fingerprint scanners like on businness laptops) without dual-auth is complete bullshit nonsense.

The security model on PC is a joke, both on Windows and on current default Linux setups.