Okay. Just to be clear, I’m not arguing otherwise. I simply don’t understand. And apparently I’m not the only one who doesn’t understand.
I read the links you provided. To be fair, several of them have no discussion or explanation. They consist of rejecting the question outright with the implication that the misunderstanding is the responsibility of those who don’t understand. I suppose, by definition, it is the problem of those who misunderstand. But perhaps it’s possible that something is missing in the explanations? I know… I know… but it’s been explained so many times. The thing is, these types of misunderstandings aren’t uncommon. I suspect that some sort of basic knowledge is being presumed as a given by those who understand the matter… but that basic knowledge is not understood by those who don’t ‘get it’. Or something similar to that.
In the above links (with actual discussion and attempts at explanation), there were several references to the same article by Rutkowska that was published years ago - which, as provocative as it was, obviously fell short in clarifying the matter for many users because the topic has been revisted so often since then.
So allow me to clarify what doesn’t make sense to me. Again, I’m not arguing that root passwords are more secure. I’m simply describing my (apparent mis)understanding.
“all the user data is already accessible from the user account, so there is no direct benefit for the attacker if she could escalate to root”
I don’t understand this. How is everything already available? Obviously with no password needed in a VM, everything is available. But if there was a root password, the user would need it to access everything, no? The same user would also need the password to access the root directory in the template, no? What am I missing? Why is this true in a Qubes VM but not true in my other laptop running Debian?
“there is… no benefit in trying to install some persistent rootkits, as the VM’s root filesystem modifications are lost upon each start of a VM.”
My understanding is that a user can “make any file persistent” with bind-dirs. Therefore, is it not possible to create the persistence necessary to have an exploit survive reboot? How is bind-dirs not a “backdoor to persistence” and a direct counterthreat to the security offered by template-based VMs?
I wonder if my confusion is primarily based on not understanding how most attacks occur. I always imagine something like a network attack or remote hacking of a shell or a situation where the hacker hits one final key, leans back and says “We’re in.” At that point, I imagine the hacker has access to the same shell that I do and therefore, a password is what will stop them from doing more damage. Of course, given the pushback surrounding this whole topic, something tells me my understanding is way oversimplified and I’ve been watching too many bad movies. In the end, if root passwords really are useless, I just want to have some sense of what I am defending myself against.
I guess that’s the gist of my misunderstanding. Any and all feedback is appreciated. I really don’t want to be an annoyance. But I am even more motivated to undertand and not just blindly agree with authorities on the matter. Thank you for your patience.