Adam Goryachev wrote: > >> However, it would still be disturbing to realize that your backup >> integrity could be compromised by anyone with access to the files. >> Consider a scenario where a disgruntled employee who still has access to >> files first prepares the 'evil twin' file with the hack to force an md5 >> value and puts it somewhere that the backup system will find it. Later >> he makes the matching alteration to critical files in a way that doesn't >> break normal use. Then he waits for any backups of the unaltered data >> to expire, then destroys the working copies and leaves. > > OK, let me check I understand this: > 1) The authorized employee creates a new file, which is added to your > backup system > 2) They wait for at least one backup to complete > 3) They alter an old very important data file such that a section of it > matches the checksum of the file in step 1
Note that the current backuppc scheme is not susceptible to this. I'm just making an argument against trusting md5's without collision tests because there are published techniques to produce them. > 4) Nobody notices the very important data file has been altered for the > entire life of your backup cycle > 5) Employee destroys the files from step 3 > 6) The very patient authorized employee leaves > 7) The admin tries to restore the file from step 3 only they end up with > the file from step 1. > > * Assuming the employeee can manage step 3 on ALL sections of the file > >> Assuming it's your job to restore a working copy, what happens next? > > Simple, you restore the data from an older working archive/backup... > That is why you don't delete backups unless they are *very* old.... It's not that simple. You don't know that you just restored the wrong content - or what is wrong with it. See the 'evil pair of executable programs' here: http://www.mscs.dal.ca/~selinger/md5collision/ (and note the availability of a library to produce them). > Personally, I'm aiming to keep monthly backups for 1 to 2 years, some of > my clients have daily backups for 999999 days..... Old data tends to be like old news - not worth too much. Even after you know you need the old copy, someone now has to repeat the year or two of work to get back to the one you wanted. > If an employee is willing to wait that long, then they probably need to > get a life :) And they might - if they leave with the only good copy of something valuable. Or maybe they'll just get life if they are caught... > In any case, why not look at how the big hardware vendors deal with this > sort of thing when they see systems with de-dupe as a file server? I think there are two styles - a fast one that trusts the hashes and a slower one that just uses it to eliminate mismatches and then does bit-for-bit comparisons before deciding it is identical. Backuppc might split the difference if the rsync pass watched for odd cases where apparently old linked content didn't match all the block checksums. -- Les Mikesell lesmikes...@gmail.com ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
