[paranoidrobot]

> Any virus would have to exploit a system vulnerability,

I'm not sure if by virus you mean some specific definition, but malware can still result in a very long and painful day/week/whatever with just access to your home directory and nothing else.

What would happen if your ~/.aws folder was piped to pastebin? Even if you're using short-lived STS sessions with ephemeral keys, I imagine most people would still find themselves in a world of hurt.

How about sending interesting files from your browser's userdata directory? All your cookies, your browser's password manager, possibly copies of your third-party password manager's cache (even if it's all encrypted), copies of cached files, your Downloads directory.

[markhahn]

calling home or exfiltration is indeed a serious threat. otoh, it's fairly straightforward to partition / reduce / sandbox environments in Linux. do you need to touch AWS infrastructure from the same account, host, vm as you read email or surf the web? do these environments need full, direct internet access?

[paranoidrobot]

> it's fairly straightforward to partition / reduce / sandbox environments in Linux.

Perhaps in some distros, but not so much elsewhere.

> Do you need to touch AWS infrastructure from the same account, host, vm as you read email or surf the web?

In short: Yes.

> do these environments need full, direct internet access?

Not sure what you mean by the environment, but in general, yeah - a whole bunch of tooling these days is basically unusable without internet access.

[charcircuit]

What percentage of desktop Linux users do that? Most distros don't do any sandboxing and those that do typically have easy ways to run binaries outside of a sandbox.