[Box Backup] Danger of files being erased

Ben Summers boxbackup@fluffy.co.uk
Mon, 2 Feb 2004 10:03:18 +0000


On 1 Feb 2004, at 23:23, Alaric B Snell wrote:

> Ben Summers wrote:
>>>  And also is it possible to lock the
>>> backup key, like putting a passphrase on it? Of course the passphrase
>>> has to be entered before using the key, which means when bbackupd or
>>> bbackupquery is started.
>> There's not much point in doing this. It would add little to the 
>> security of the system, and provide a false sense of security. Seeing 
>> as the key and the data on the computer you've just broken into are 
>> effectively equivalent, there is no reason to protect the key. An 
>> attacker would just read the decrypted data.
>> Of course, there is the problem that if they broke in to your 
>> computer and stole the keys, they could then use the backup server to 
>> get copies of your files whenever they wanted. But this could be 
>> solved by changing the certificate -- and you would notice the 
>> break-in, wouldn't you?
>> Security is about reacting, as well as preventing.
>
> Is there a danger they could compromise system data, and then upload 
> the new compromised versions to the backups?

Yes.

>  Worse than setting the deleted flag :-)

The current security model assumes that access to the client machine 
and it's data is equivalent to access to the backups -- which I feel is 
reasonable since an attacker can just read the unencrypted files. 
However, future versions will have a system of "marking" snapshots, so 
you'll easily be able to go back in time before the compromise.

There's roughly the same problem with any other backup system -- if you 
don't notice and rotate so the good data is deleted, you've lost the 
backup.

>  What's done about multiple historic versions of files in the backups?

They are all available, if in a slightly non-user friendly way.

   http://www.fluffy.co.uk/boxbackup/retrieve.html

Although I will make this better in the future.

>
> Interestingly, the clever upload-only-changes thing could well be used 
> to help clear up after an exploit - reboot from a clean OS to get past 
> the rootkit, then ask the bbackupquery tool to list which files were 
> modified since the last backup run, and then hand-vet the changes...

Interesting... :-)

>
>>> - I'm really considering running it on every machine I own. I'm just
>>>   waiting to get more disk space.
>> Thanks!
>
> Personally, I'm limited by bandwidth between my machines, which are 
> all at different ISPs (with bandwidth charges) or on ADSL - which is 
> why my trusty tape drives are still whirring away for now; I can use 
> sneakernet for my high bandwidth backup transfers ;-)
>
> I'm wondering about performing gross trickery and taking a laptop into 
> each rack in turn, running the server, to do the initial 
> upload-everything onto, then transferring the server install to a real 
> server machine to then handle subsequent incrementals...

Yes, that would work.

Ben