-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Les Mikesell wrote:
> Jeffrey J. Kosowsky wrote:
>> As I proved in my earlier post, the chance of a collision on even a
>> Petabyte sized pool is about 1 in 10^38. 
> 
> Note that we've all gotten used to trusting tcp crcs for error detection 
> and it's probably much weaker.
> 
> However, it would still be disturbing to realize that your backup 
> integrity could be compromised by anyone with access to the files. 
> Consider a scenario where a disgruntled employee who still has access to 
> files first prepares the 'evil twin' file with the hack to force an md5 
> value and puts it somewhere that the backup system will find it.  Later 
> he makes the matching alteration to critical files in a way that doesn't 
> break normal use.  Then he waits for any backups of the unaltered data 
> to expire, then destroys the working copies and leaves.

OK, let me check I understand this:
1) The authorized employee creates a new file, which is added to your
backup system
2) They wait for at least one backup to complete
3) They alter an old very important data file such that a section of it
matches the checksum of the file in step 1
4) Nobody notices the very important data file has been altered for the
entire life of your backup cycle
5) Employee destroys the files from step 3
6) The very patient authorized employee leaves
7) The admin tries to restore the file from step 3 only they end up with
the file from step 1.

* Assuming the employeee can manage step 3 on ALL sections of the file

> Assuming it's your job to restore a working copy, what happens next?

Simple, you restore the data from an older working archive/backup...
That is why you don't delete backups unless they are *very* old....

Personally, I'm aiming to keep monthly backups for 1 to 2 years, some of
my clients have daily backups for 999999 days.....

If an employee is willing to wait that long, then they probably need to
get a life :)

Of course, this all assumes that the employee is skilled enough to
achieve all of the above, which is again rather unlikely in my
experience... (Someone going to come up with a probability that any
individual employee has enough knowledge?)

In any case, why not look at how the big hardware vendors deal with this
sort of thing when they see systems with de-dupe as a file server?

Regards,
Adam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkon6K4ACgkQGyoxogrTyiWlUACeMsVgoDKYAjBEMyvotOFKM7z2
6eUAnjJhOLAVqThJFR9M763KQBzTAfln
=rpos
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/