On Sun, Dec 20, 2015 at 02:28:42PM -0500, Gene Heskett wrote:

> Good question Lisi, one I've yet to hear a good explanation for from the 
> bunto folks, and I did ask a couple times in the past. Should I make the 
> pw I use just as obtuse & long?

That depends on what sort of threats you may face.

If you have unrestricted sudo rights, then access to your account is 
just as good as access to root. Possibly even more so, since your 
account might have access to resources on other machines that root 
doesn't.

Or an attacker might use an unpatched exploit to steal root access, even 
without sudo rights. But even without root access, access to your 
account alone may be valuable to the attacker. 

If the attacker thinks of you as just another machine on the Internet, 
then they can still use your machine to (say) store files, launch 
attacks on others, maliciously delete or encrypt files (ransomware), 
send spam, go through your address books and emails looking for other 
accounts to attack, steal unencrypted passwords from your web browser 
and get access to your on-line banking, social media and "cloud"-based 
systems. From which they can steal your money, send spam, or launch 
attacks on others -- emailed malware is *much* more effective when it 
comes from a person you trust.

If they are specifically targetting *you*, or somebody you know, they 
can invade your privacy, stalk you or your friends/family, perform 
industrial espionage, or frame you for possession of illegal material 
such as child pornography or terrorist-related material. Root access not 
required.

Consider that attacks are not necessarily over the internet. Are you 
living alone, or sharing a flat with four total strangers? Do you take 
your computer into the shop to get repairs done? How well do you trust 
them?


-- 
Steve