[Box Backup] Danger of files being erased

Ben Summers boxbackup@fluffy.co.uk
Mon, 2 Feb 2004 10:36:10 +0000


On 2 Feb 2004, at 10:17, Alaric B Snell wrote:

> Ben Summers wrote:
>
>> The current security model assumes that access to the client machine 
>> and it's data is equivalent to access to the backups -- which I feel 
>> is reasonable since an attacker can just read the unencrypted files. 
>> However, future versions will have a system of "marking" snapshots, 
>> so you'll easily be able to go back in time before the compromise.
>> There's roughly the same problem with any other backup system -- if 
>> you don't notice and rotate so the good data is deleted, you've lost 
>> the backup.
>
> Yep. You can only undo changes within a finite timeframe, and the 
> length of that timeframe (in the case of incremental backups) may 
> depend on the rate of change of data, meaning an attacker may even 
> deliberately shorten it by having his rootkit create and frequently 
> update a 1GB file somewhere :-)
>
> I presume the bbstored protocol doesn't allow any other way of getting 
> rid of a backed up file than uploading changes to that file as fast as 
> you can until the good version is expired, right?

Correct.

Although because the server is implemented within my "as simple as 
possible (but no simpler)" philosophy -- easy to write, less bugs, etc 
-- you could simply modify this 1Gb file by adding a byte, and it would 
use an extra 1Gb on the server.

>  If so, then all you need is a reasonable upload bandwidth limitation 
> and an easy way of getting old versions by date and/or getting "diffs" 
> of the live system to see what's changed, and it could be a valuable 
> un-rootkitting tool too!

I think it could be as simple as having a paranoid mode where

1) When you successfully connect to the server, you're then prohibited 
from logging on again for a defined interval

2) Only allowing a file to be updated once per session.


Releasing this system has been very interesting -- new uses have been 
proposed, and new ways of working have been suggested which make it 
useful even in scenarios I hadn't anticipated it being able to be used.

I'm keeping notes!

Ben