On Mon, 06 Feb 2017 09:07:34 +1100, Steve D'Aprano wrote: > On Sun, 5 Feb 2017 07:01 pm, Wildman wrote: > >> Sure, you >> could trick someone into running a program that could >> mess with $HOME but that is all. For anyone, like me, >> that makes regular backups, that is not a big problem. >> To do any real damage to the system or install a key >> logger or some other malicious software, root access >> would be required. > > The complacency of Linux users (and I include myself here) is frightening.
No comment. :-) > Why do you value the OS more than your own personal files? In the worst > case, you could re-install the OS is a couple of hours effort. Losing your > personal files, your home directory and email, could be irreplaceable. I wold not say I value the OS more. It is that anything I have that I consider important does not stay in $HOME very long without being backed up or moved to an external drive. > You're also ignoring the possibility of privilege-escalation attacks. The odds of that happening is very low. You should know that. There are very few actual exploits in the wild. Whenever one is discovered, it is fixed quickly. You would be hard pressed to find more than a few examples of where a vulnerability was actually exploited. > As far as "regular backups", well, you're just not thinking deviously > enough. If I were to write a ransomware application, running as the regular > user, I would have the application encrypt files and emails just a few at a > time, over a period of many weeks, gradually increasing the rate. By the > time the victim has realised that their files have been encrypted, their > backups have been compromised too: you can restore from backup, but you'll > be restoring the encrypted version. > > Obviously this requires tuning. How many files will people be willing to > just write-off as lost rather than pay the ransom? How quickly do you > accelerate the process of encrypting files to maximize the number of people > who will pay? I should explain a few things that will make my position clearer. First of all, I am not advocating for anyone to change their computing practices. If you are comfortable with your methods, who am I to tell you different? I am an amateur programmer and therefore I do not make a living writing code. If I suddenly lost all my code, it would not be the end of the world for me. I would have enjoyment writing it again. Because of this I am not very paranoid when it come to my computer data, although I do practice safe surfing when it comes to the internet. Scripting and Java stays off unless it is needed by a 'known' site. Also, I never click unknown links without doing a little sniffing first. And last I would like to say that I admit some of the scenarios you and others have laid out could happen, but, in my circumstance, it is very unlikely. One would have a hard time placing a program on my computer and running it without me knowing about it. No, that is not a challenge. :-) -- <Wildman> GNU/Linux user #557453 The cow died so I don't need your bull! -- https://mail.python.org/mailman/listinfo/python-list