[Boxbackup-dev] Need server-side kill-switch

Peter Jalajas, GigaLock Backup Services pjalajas at gigalock.com
Tue Oct 30 15:05:45 GMT 2012


Hi James,

On Sun, Oct 28, 2012 at 1:25 PM, James O'Gorman wrote:
> On Sun, Oct 28, 2012 at 01:08:56PM -0400, Peter Jalajas, GigaLock Backup Services wrote:
> As a first solution, can you not just put a packet filter in front of
> your backup server (hopefully there's one anyway) that sends a TCP RST
> to the client?

It just gives me the heebeegeebees (sp?) to have one of my "clients"
out there desperately spinning away every 2 minutes.  It just doesn't
seem right.  Maybe I'm wrong, but I feel somewhat responsible for
shutting them down.  And then there's dynamic IP address problems.
Funny, I want to send a kind of "BOX RST" to the client.  :^)

> This won't fix your immediate problem though, as it sounds like the
> customer isn't co-operating, therefore won't install the new version
> that supports this.

Sadly, true, but I don't want to go through this again.

> I understand your point about the server being the general control of
> the account, however the client setup isn't managed by the server admin
> - the client is handed an encryption key by the server, but nothing
> about the client is actually _modified_ by the server.
>
> I really do believe Chris' implementation is the right solution

I guess I'm not _exactly_ sure of what Chris' most recent
implementation was, but I respectfully (I really do understand your
position), but firmly, disagree.  I think we need to be able to Stop
the boxbackup client from that client's server, and that that function
in no way breaks boxbackup's security/trust model ("I promise to
never, ever, give you your data back (I've deleted all your data), so
you might as well stop connecting to me.").

I was proof-reading this email about to hit Send, when I think I came
up with a clarifying point:  you say above, "but nothing about the
client is actually _modified_ by the server."   I agree; I contemplate
that the Server is only sending a Message to the Client
"StopConnectingToMe".  The Client sees and interprets that Message and
does what it thinks is best.

So, at the moment, it looks like Dave B and Pete J are FOR this
Disable function, and James is AGAINST.  But of course, all that
really matters is what Chris thinks about it :^), but I wonder what
others on the list think.   Please feel free to reply with a simple:

+1 : you APPROVE of adding a function by which, upon the Client
connecting to the Server, the Server can reply to the Client with a
message to stop connecting to that Server, and that the Client should
a) be able to receive that message, b) stop itself from connecting to
that Server and c) implement an appropriate NotifyScript function.

-1 : you DISAPPROVE

Very respectfully, James,
Pete

PS: I guess I could accept an exponential slowing of the connection
attempts (2 mins, 4, 8, 16, 32mins, on so on), but that doesn't seem
as clean to me as a formal StopConnectingToMe.  I'm not gonna give you
your data back, even after 2^128 minutes, promise.



More information about the Boxbackup-dev mailing list