Repost from my dead blog, 2006-09-01
When I talk to most home PC users, they’re very concerned about their own stuff, as they rightly should be. If I ask “what’s the worst thing that could happen if an attacker got your machine,” the response is generally that the attacker could get passwords, personal documents, or identity information.
I’m going to make a very unpopular statement here. That’s not the worst thing that could happen.
While yes, identity theft happens all the time, the most severe of attacks lately don’t target individual people. It takes time to write custom processors to find sensitive information in various types of files. It takes time to manually go through the information on your machine with no context and determine what’s of value.
What’s more important that your computer can provide is anonymity. If an attacker gains access to your machine, they’ve just gained access to a resource that can be used for a distributed attack against a single entity (with a multitude of people who use it). Spyware’s goal now is not to get YOUR information, but to use YOUR machine to get EVERYBODY’s information by using websites with a large number of users. A single machine attempting a brute-force attack against Paypal will take a very long time. But 20,000 machines attempting the same brute-force attack will take a much shorter time to find many more accounts.
So at a personal level, don’t think that the line stops at keeping really sensitive information off your machine. Be sure that the FBI CAN and WILL use your machine to find the real attacker if they can.
At a professional level, data classification is not the holy grail we once thought it was. A resource with no sensitive informaton is still a resource that can be used to gain access to sensitive information.