On Wed, Jul 21, 2021 at 09:36:37AM -0700, James H. H. Lampert wrote: > "Immutable backups." Interesting concept. But how?
In a dull enterprise world they usually used tape libraries for that. It's not popular these days, but still used here and there. "Cloud backups" are getting their share, although they carry their own risks. > Optical media? 20 years ago my answer would be "yes". 10 years ago - "maybe". Today's answer - go to eBay, and buy that LTO-6 drive, and a FC HBA while you're at it. If tinkering with tapes is not your cup of tea - rent an appropriate amount of disk space from several cloud vendors, and put each locally-encrypted backup in several places. > Enormous decks of Hollerith cards? Enormous reels of punched paper tape? It's a really simple concept - one host is doing the backup, another one controls where and how it written. To inflict some damage, one has to compromise both, and frankly if one does not protect their backups properly one has bigger problems to worry about than a "ransomware attack". Of course, not doing any backups at all is equally bad. > So far as I'm aware, there is *only one* operating system currently in > wide use, that has never been successfully infected with malware > outside of laboratory experiments: the IBM Midrange operating system > that goes by such names as OS/400 and i5OS (among others, and although > I work with it on a daily basis, I've long-since given up keeping > track of what IBM is calling it in any given week). OS/400 was before my time, but I have a limited experience with z/VM which ran at z9 mainframe about 10 years ago. One day certain IBM engineer somehow managed to execute a certain job from one LPAR in another, completely breaking the isolation between LPARs. The mainframe just shutdown presumably to prevent other abuse to happen, and in modern terms this could be classified as locally executed DOS attack. My point is - maybe IBM gone wrong direction somewhere with Z-series. And, of course - they do not make these things today like they used to. > But Linux comes a lot closer to being malware-secure than WinDoze, or > even Mac OS, which is one reason why, with my "bionic desk lamp" iMac > on its last legs, instead of buying another Mac, or a WinDoze box, I > bought a Meerkat. Why "even Mac OS"? Being UNIX does not make it magically secure, nor being produced by Apple does. As long as OS promotes and considers perfectly normal to run arbitrary software obtained from $DEITY knows where - such OS cannot provide any kind of meaningful security, user data being considered. Note that obtaining a software from third-party and providing it as is (iOS, Android being prime examples here, and M$ tries to get there) does not make the security of user data any better. Reco
