Compromise perspectives

• System owner who may be facing reinstallation
  • modify any aspect of filesystems as root
  • anything else
• Incident response person analyzing network impact
  • running commands as root or non-root is about the same
  • proxying of IP traffic is almost as bad
  • distribute files via web server or ftp server
  • relay spam mail
  • problems that are not externally visible are irrelevant