Time Machine is Awesome, Vulnerable to Attack

timemachine_hero20071016.png

Time Machine, the automated back-up system built into Mac OS X Leopard, has been justly celebrated for making the least-fun of all computer practices easy. At the touch of a button, you can find every revision of every single one of your files on hand at the time of its installation. Unfortunately, as Steven Fisher recently discovered, this comes with an ugly side effect: Even executable code can get run from Time Machine. Cool as that might sound, the consequences could be grim:

Let me give you a simple example: You find out Adium (for example) has an available exploit that the developers haven’t patched yet. You remove Adium, but it continues to exist in your backup. You visit a web page that activates the Adium bug, and Adium is launched from your backup. That you can launch Adium from your backup is not a bug. That Mac OS X will do so automatically without confirmation is a bug. The backup should be considered a vault for the user, not Launch Services.

Yikes.  Rogue code is bad. Rogue code that you have to go out of
your way to re-delete from your archives? Really nasty. Apple, let’s get a fix going.

Via Daring Fireball

  • imajoebob

    Not (just) to pile on, but I infer from this that Time Machine doesn’t compress files? Or at least not much more than Win95 did with Disk Doubler? I’m gonna need a 250GB drive to support my 60GB notebook. And I really don’t like the idea that the files are recognized by anything other than Time Machine. Would adding a simple password prevent this – and keep the files secure in case someone “accidentally” plugs in my external drive?

  • DBL

    Not only aren’t the files compressed, but they aren’t ‘archived’ at all. They are merely copied to a subfolder on the backup drive. Therefore, there is no way to password protect the ‘backup’ file since there is no backup file. The only unusual thing about the Time Machine files that differentiate them from your original file structure, is something called ‘hard links’ which are used so that the same file can appear to simultaneously exist in multiple time-based iterations of backup folders. Note that this whole approach is a very good thing; this is the way Time Machine is able to so very quickly access and recreate a snapshot of your hard drive structure at any point in history, without duplicating files that haven’t changed. It also creates an easily Finder-browsable backup structure that will make sense to the average person. And you do not need a 250GB drive to support a 60GB original — it only needs to be as big or bigger. Time Machine will automatically adjust how many historical changes to documents it preserves according to the size of the drive. If your backup drive gets too full, it starts to drop older versions of documents. You won’t even notice.

    It’s pretty much the best of all worlds. Except … yeah. They definitely should not let any document or web page launch applications that are *only* on the backup drive without an OK from the user! But this is simple to fix and I’m certain it will happen. In the meantime — BECAUSE of the very simple non-compressed, non-archived file structure, it is TRIVIALLY easy for anyone to walk through the backup and delete any historical instances of the insecure application you are worried about. So one of Time Machine’s strengths greatly mitigates this (likely temporary) weakness.

  • Ian Adams

    DBL: The vast majority of files on any given hard drive are hard links. The difference with Time Machine is that Apple made a fundamental change to the HFS+ file system to allow for *multiple* hard links (called “multi-links”) for any given file. Hard links in and of themselves aren’t a new concept, though, by any stretch of the imagination.

    I definitely agree with you, though, that it will be fixed soon (most likely in the 10.5.1 update) and that in the meantime it is trivially easy to go into your Time Machine backup and simply remove any archived apps in question.

  • coljac

    Actually, with regard to hard links, the big change here isn’t allowing multiple hard links (all unices can do this) but to allow hard links for folders. This is new – under normal circumstances it can cause problems which they appear to have solved for Time Machine. This is the reason you can’t back up to anything but a local disk or another Leopard machine.

About the author

Pete Mortensen

Pete Mortensen is a design strategist for consulting firm Jump Associates and the co-author of Wired to Care: How Companies Prosper When They Create Widespread Empathy, a book and blog that are significantly more interesting than you might initially think. Pete's particular Apple avocations are both around design--interface and industrial. Follow him on Twitter!

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in Software | Tagged: , , , |