On Sun, 2008-05-18 at 13:51 +0100, samwise wrote:
and even then to do any serious damage they need the root user password.
Not strictly true unless you're talking about servers - yes, damage to the system itself is restricted but most desktop users wouldn't care as much about those as to the personal files in their home directory - which would, of course, be theoretically vulnerable.
Has anyone seen the things on windows that change the DNS name servers to some hosted in Russia which work perfectly well for web browsing but as well as providing a convenient log of the sites you are visiting also replace the IP address of common banks, paypal etc with the IP's of phishing clones ? Without Root access on a correctly configured machine that wouldn't be possible.
Of course whether that is better or worse than nuking all your files depends on how careful you are when dealing with those sites and whether or not you have backups..But making you more vulnerable to phishing scams is certainly the more profitable of the two.
Also don't forget that with Root access any existing security on the machine can be more easily reconfigured/disabled.