[Box Backup] FreeBSD Security Officer's take on Box Backup

Chris Wilson boxbackup@fluffy.co.uk
Sun, 7 Jan 2007 15:53:18 +0000 (GMT)


Hi James,

>> I'm probably far more paranoid about such things than most people; but
>> I would not want an attacker to say "hey, Colin just updated
>> /lib/libcrypto.so.4 on his server; there must be a new OpenSSL
>> security vulnerability"; even worse, if I used Box Backup, such an
>> attacker could likely figure out which files I had recently modified
>> in /usr/src in order to narrow down his search for whatever
>> unannounced bug I had just patched.

If I was as paranoid as he is, I wouldn't give the server operator my real 
name, or any other information that might help him to find out that I was 
Colin Percival or that I might sometimes patch libcrypto.so.4 before 
anyone else instead of, say, modifying a Word document :-)

Cheers, Chris.
-- 
_ ___ __     _
  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |