Separate user account (was Re: invalid gpg key revocation)

[Peter Lebbing]

On 06/03/12 22:31, Hauke Laging wrote:
> AFAIK there is nearly no skill level required in order to get into an average
>  user account. There is software which creates malware. You don't have to
> write it yourself. Just wait for the next exploit in a widely used (or known
> to be used) software.

I don't see the counterargument here: why is the situation different for
becoming that other user account or the superuser? Just because they use less
programs? Wait slightly longer, for an exploit in the programs that do expose
those accounts.

BTW, I do hope there is some skill level needed to get into the user account of,
for example, seasoned computer users (remotely, not counting physical
access). For a suitable definition of "seasoned".

>> Or he just needs to wait until you become superuser from your own user
>> account and hitch the ride.
> 
> That's obviously something one shouldn't do then.

Yes, I get that. Like I said, I only gave the obvious ones. Unfortunately the
small-scale remedy to those is also obvious. However, you might plug a hole, but
the sieve as a whole keeps going.

> Sure, but there's cool stuff on the other side, too. A user need not be 
> capable of installing software. A processes capabilities can be limited (I
> run my Internet software under AppArmor profiles). The access to X can be
> limited.

I'm not saying you should give up protecting yourself. I just don't see a
significant role of the separate user account in those efforts.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt