Basically they rely on any kind of backup which is not accessible as an writable file on the currently mounted fs. There's nothing ZFS specific there. That part is just an advertisement for ixsystems + freenas.
That's not really the point. Your btrfs file system to be an effective measure against attack should be on a separate machine where you only have write access to one single snapshot. If you have btrfs on your working machine it's not effective. Once someone gets root then they can just unmount it and encrypt the raw device.
The point is privilage separation and if you want to protect against root exploits then you need a separate machine with appropriate access control (which is basically an append-only backup).
Cryptolocker doesn't get root though - that's the point. Cryptolocker exploits the absurd situation that we protect system data better then we protect user data - the irreplaceable part of your computer.
ZFS protection on Linux is also an accident here - because on Solaris users can manage their own snapshots, but in ZoL you currently need root.
I've said it before: what people need is the concept of user privilege namespaces. So you sudo elevate yourself into 'backup' privileges without elevating to root.
What does ZFS have to do with this? This is like any other properly executed backup. You may as well call it "defeating having your day ruined by keeping proper backups". Granted I do like ZFS and I've literally been doing this for ages, backing up my KVM guest images to ZFS SAN the KVM host can access to save the snapshot and the KVM guest can't access at all.
However this can be done a million different ways. It's just a backup not accessible to the affected system... I do the same thing with my bare metal OSX machines (macbook, macpro, etc...) they use time machine to backup to Netatalk shares, those shares are image files which again get backed to the ZFS SAN. So even if the time machine share was encrypted I'd have a copy of the image holding the share from X days ago.
13 comments
[ 3.3 ms ] story [ 44.0 ms ] threadBasically they rely on any kind of backup which is not accessible as an writable file on the currently mounted fs. There's nothing ZFS specific there. That part is just an advertisement for ixsystems + freenas.
The point is privilage separation and if you want to protect against root exploits then you need a separate machine with appropriate access control (which is basically an append-only backup).
ZFS protection on Linux is also an accident here - because on Solaris users can manage their own snapshots, but in ZoL you currently need root.
I've said it before: what people need is the concept of user privilege namespaces. So you sudo elevate yourself into 'backup' privileges without elevating to root.
However this can be done a million different ways. It's just a backup not accessible to the affected system... I do the same thing with my bare metal OSX machines (macbook, macpro, etc...) they use time machine to backup to Netatalk shares, those shares are image files which again get backed to the ZFS SAN. So even if the time machine share was encrypted I'd have a copy of the image holding the share from X days ago.
Presumably ZFS is immune from CryptoLocker. CryptoLocker can only compromise NTFS 'computers'.