[Box Backup] FreeBSD Security Officer's take on Box Backup
Chris Wilson
boxbackup@fluffy.co.uk
Sun, 7 Jan 2007 15:53:18 +0000 (GMT)
Hi James,
>> I'm probably far more paranoid about such things than most people; but
>> I would not want an attacker to say "hey, Colin just updated
>> /lib/libcrypto.so.4 on his server; there must be a new OpenSSL
>> security vulnerability"; even worse, if I used Box Backup, such an
>> attacker could likely figure out which files I had recently modified
>> in /usr/src in order to narrow down his search for whatever
>> unannounced bug I had just patched.
If I was as paranoid as he is, I wouldn't give the server operator my real
name, or any other information that might help him to find out that I was
Colin Percival or that I might sometimes patch libcrypto.so.4 before
anyone else instead of, say, modifying a Word document :-)
Cheers, Chris.
--
_ ___ __ _
/ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |