Ugh. This article is basically FUD intended to scare people into using grsecurity. Notice how there were no actual examples of capabilities being misapplied in the real world. When used appropriately, capabilities are a big improvement over running things as root. My personal favorite is CAP_NET_BIND_SERVICE since it allows non-root users to run daemons that bind to the "privileged ports". It's possible to misuse capabilities to make your system insecure, just like it's possible to misuse chown(1) to make all your files world writable.