[Box Backup] FreeBSD Security Officer's take on Box Backup
Ben Summers
boxbackup@fluffy.co.uk
Sun, 7 Jan 2007 17:06:40 +0000
On 7 Jan 2007, at 15:35, James O'Gorman wrote:
> I just stumbled upon one of Colin Percival's (the current FreeBSD SO)
> older blog entries regarding backups, and apparently he was
> recommended
> Box Backup. Here's what he said:
>
>> The third popular suggestion I received was Box Backup. The
>> "Programmers(sic) Notes" included are a bit difficult to understand;
>> it sounds like boxbackup does use some very complicated magic with
>> its
>> "encrypted rsync" to allow some old bits of files to be removed, but
>> I'm not sure if this includes intermediate versions of backed-up
>> files
>> or only the versions which are the oldest at the time. The later
>> possibility is fine if you only really care about having a backup of
>> the most recent version of everything, but it's not useful if you
>> want
>> (as I do) lots of recent backups but far less frequent older backups.
>> Box Backup also leaks more information than I'm comfortable with; it
>> allows the 0wner of the system on which the backups are being stored
>> to identify
>>
>> * The structure of the directory tree,
>> * The number of files in each directory,
>> * Approximately how large each file is, and
>> * Which files have been modified.
>>
>> I'm probably far more paranoid about such things than most people;
>> but
>> I would not want an attacker to say "hey, Colin just updated
>> /lib/libcrypto.so.4 on his server; there must be a new OpenSSL
>> security vulnerability"; even worse, if I used Box Backup, such an
>> attacker could likely figure out which files I had recently modified
>> in /usr/src in order to narrow down his search for whatever
>> unannounced bug I had just patched.
>
> Is it just me or has he completely misunderstood how Box works? Anyone
> care to correct him? :-)
Filenames are encrypted, you can just tell that something at a
particular depth was modified. You could guess based on the number of
directories entries which directory it was, if you knew the platform,
distribution, and approximately which packages were installed. But we
don't recommend Box Backup is used for system files anyway.
Ben