Blocking malware (was Re: Use of Root)

[richb at pioneer.ci.net (Rich Braun)]

Karina wrote:
> That argument aside, and assuming security is not
> an issue on a small closed network, (yes, I know
> that security is always an issue!),

The most fundamental reason you don't want to do routine tasks (like web
browsing or email) with root enabled is that you don't want malicious software
to take over your computer.

Under Linux they are called "Trojan horses" because they rely on a relatively
savvy person to make the mistake of running a program with root privileges. 
On a PC or Mac, users almost always run with "administrator" privilege so the
program can be run--in essence--without the user being aware of it.  Hence it
spreads around the 'net in a manner more reminiscent of a virus than of a
wooden horse carried inside protective walls by troops who should have known
to check first. (Another class of malware is the 'worm', which works like a
virus and exploits a bug in one of the daemon servers running in background,
rather than waiting for a user to invoke it.)

One other point:  all of us make mistakes once in a while, the sort which
erase or over-write data.  You're more likely to blow away something important
if you're running with root permissions all the time.

If PC users would take all this to heart, authors of viruses would have to
find something else to do--viruses simply couldn't spread the way they do, and
all of us would benefit from an entire class of peer-to-peer Internet
applications that probably won't ever be invented because ISPs are having to
put restrictions (port blocks) on connectivity among users' PCs.

One of the best ways to lock down your PC and protect against unknowingly
running malicious software is to install a monitoring program that triggers an
alert if anything unexpected changes on your hard drive.  The two that I use
are Kerio (for Windoze boxes) and samhain (for Unix/Linux).

-rich