On Sun, Dec 20, 2015 at 02:28:42PM -0500, Gene Heskett wrote:
Good question Lisi, one I've yet to hear a good
explanation for from the
bunto folks, and I did ask a couple times in the past. Should I make the
pw I use just as obtuse & long?
That depends on what sort of threats you may face.
If you have unrestricted sudo rights, then access to your account is
just as good as access to root. Possibly even more so, since your
account might have access to resources on other machines that root
doesn't.
Or an attacker might use an unpatched exploit to steal root access, even
without sudo rights. But even without root access, access to your
account alone may be valuable to the attacker.
If the attacker thinks of you as just another machine on the Internet,
then they can still use your machine to (say) store files, launch
attacks on others, maliciously delete or encrypt files (ransomware),
send spam, go through your address books and emails looking for other
accounts to attack, steal unencrypted passwords from your web browser
and get access to your on-line banking, social media and "cloud"-based
systems. From which they can steal your money, send spam, or launch
attacks on others -- emailed malware is *much* more effective when it
comes from a person you trust.
If they are specifically targetting *you*, or somebody you know, they
can invade your privacy, stalk you or your friends/family, perform
industrial espionage, or frame you for possession of illegal material
such as child pornography or terrorist-related material. Root access not
required.
Consider that attacks are not necessarily over the internet. Are you
living alone, or sharing a flat with four total strangers? Do you take
your computer into the shop to get repairs done? How well do you trust
them?
--
Steve