Seems like there is a market space there for someone to fill. Considering that it is the banks and financials that are a target and who has the money to support maintenance on the fingerprint db...

Linux, when set up and managed with security in mind (not running the system "as root"), is very secure. Viri and malware targeted at Linux systems, while not non-existent, is rare. Effective Linux viri or malware is even rarer.

While using common sense and only using software from trusted sources are generally sound advice, the author seems to have only rudimentary understanding of security concepts.

The Firewall section just hurts my head in more ways than one...and "If you're seeing an increase in brute forced attacks, I'd also recommend increasing your key strength just to be safe." Really? Who an earth would be brute forcing host keys at random?

He probably means "password" instead of "key", but still, if you're using/allowing password authentication with SSH you're most likely already doing it wrong if you're a regular desktop user.

No one. Attackers rarely grind against password prompts or attempt other forms of brute force intrusion methods these days. Instead, the common technique is to social engineer someone who already has a degree of access. The amount of work is less, and the reward is greater. From there, the attacker can more easily spread across the network. Perhaps a privileged user once logged onto normal workstation and failed to clear the cached credential. An attacker can discover this and use it to impersonate a privileged user, thus gaining access to many more resources on the network.

I'm going to deconstruct that article momentarily.

Anti-virus software isn't needed
True until bad guys start writing more malware for Linux. The likelihood of this is slim, though. Attackers and criminals are opportunistic -- they seek target-rich environments. You see lots of malware on Android for the same reason you see lots of malware on earlier versions of Windows: unsafe defaults, zillions of clueless users. Kitkat and Lollipop are much more resilient against attack than prior versions, just like Windows 7/8/8.1 are more resilient than prior versions. But there is still so much Gingerbread, Ice Cream Sandwich, Jellybean to target; there is still so much XP to target. Don't forget about Java, Flash, Acrobat, Quicktime, and every major browser -- these are even richer targets. Attackers won't waste their time on the sliver of a minority of us who take the time to learn Linux and also care about safe computing.

However: Linux powers most of the server infrastructure on the Internet. I do worry about zero-days a lot: exploits targeting undiscovered vulnerabilities. Anti-malware tools are powerless against these, of course. Monitoring for anomalous behavior becomes your best defense.

Use your firewall
Ridiculous. The notion of "open ports" on a host doesn't make sense. A host will establish a listening socket on a port when it needs to accept inbound connections. A host will establish a transmitting socket on a port when it needs to create an outbound connection. What are you going to block on a host? The author instructs us "to block any ports that aren't being used on a regular basis." News flash: the only time a port is available for an inbound connection is when you run some software designed to listen on that port. Otherwise, there's nothing to block.

The advice about SSH is goofy. If you don't need to permit inbound SSH, don't run the daemon. If you do need SSH, and if your password is a good one or you're using keys for authentication, then it doesn't matter what port you run it on. The default is fine. You'll see a lot of "knocks" from scanners across the Internet, but this is nothing new, really.

As for -- "The idea behind setting up your firewall to block unwanted connections is simple commonsense. If an application or protocol doesn't have a good reason to be connected, then it's best to play it safe and block that connection." -- what is this I don't even. If an application doesn't have a good reason to be connected, then it's best not to run that application. (In the same way that languages don't speak, people do, know that protocols don't connect, applications do. Does this author really understand the topic?)

Finally, a NAT-based router with stateful packet inspection is perfectly adequate for protecting machines behind it in a typical home or small office scenario. Extra layers, especially ones that are completely ineffective, are unnecessary.

Patch your installation
The first section that actually contains good advice. Do this.

Except...the author returns to "securing your ports" as a necessary defense against a malicious user or script "testing the waters." LOLWUT? Let's consider how such a thing might happen. If you're running a listening service because you need to answer incoming connections, a host firewall will have a rule permitting those. Good and bad traffic can and will make connections. A firewall can't distinguish between good and bad. Thus, "port security" is meaningless here. If you aren't running any listening services, then there is nothing for a firewall to do, so you don't need one. Why is this writer so obsessed with ports ports ports? Ugh!

Browser extensions
Good advice. More generally, be wary of random code that comes in any form, not just browser extensions.

Java
"These days Java isn't really a threat to anyone using a desktop operating system." This is so wrong. HotSpot, Oracle's Java virtual machine, is routinely updated to fix major security flaws that permit malicious software to escape the sandbox. But these updates are often not timely and exploits can run wild for quite a while. OpenJDK, the Java VM present in most Linux distributions, is much better here.

Also: a lot of enterprise applications are written so poorly that they require specific versions of Java. Java upgrades will break these applications, so millions of computers in medium and large organizations contain flawed JVMs.

Phishing
Um, phishing is an attack against people, not computers. Software can't help you here.

umm if SR said it you should maybe do it.

woodjustsayinbecauseIvolunteeredatCastleCopssmoke

Good analysis Steve

Vulnerabilities fixed more quickly? Or fewer vulnerabilities in the first place?

Well, I'm not sure whether I feel embarrassed or proud to have started this thread. I learned something, which is a point in favor...

I agree with Teunis on the not feeling embarrassed part. Especially when it comes to security, there is a lot of information out there that is just silly but not harmful, a lot that is outdated and usually not harmful, and some that just makes you cringe.

To help others in the future, I suggest changing the name of the thread (if possible), and/or edit your original post to add something like "The article I linked to has been mostly debunked by people smarter than the article's author. See comment X in this thread."

... and this discussion continues, huh?

OK, my contribution will be embarrassingly to the point:
I can't figure out why anyone would feel embarrassed about anything around here.

Many thanks for everyone's kind words

Many, many fewer in the first place.

As others have said, dicussions like these are valuable. No reason to feel embarrassed.

Good idea; will do.