Wednesday, August 8, 2012

Back up your data

Most of you have heard about the hack where the Apple and Amazon cloud services and people lost their data.  The attack wasn't technical, it was "social engineering" - phoning up the services and convincing tech support that you needed your account info ungraded.  Of course, the new infor allowed the attacker to get in to the accounts, and locked the legitimate user out.

Quite frankly, there's nothing that you can do to prevent this.  But this was the part of the article that should never happen to anyone:
Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.
Backups address rather a lot of security problems, and everyone should be doing them.  You should really back up to multiple different locations, so if you lose your account or machine, and you lose a backup, you're still covered.

I like this sort of thing for quick backups, and there's a deal going on right now*:

32 GB flash drive - you can back up a lot of data onto that.  $20.  FOr that price, you can get a couple, and not worry about losing your kid's pictures.  Or you could get this to back up all the computers in your house:

2TB external hard disk.  $129.  For not much more you can get one that attached to your network, and you don't have to schlep the drive from computer to computer (if all you computers are near each other, you could do this with a USB hub).

Also, remember that your smart phone can also be a backup for music and pictures.  Even if your house burns down and you lose all your backups, you might have all your pix on your phone.  More backups is better, because two is one and one is none.

Just a word to the wise.

* I don't have any relationship with TigerDirect, just bought a bunch of stuff from them in the past.


Dave H said...

There are two kinds of computer users. Those who have lost data, and those who will.

If you're going to use the USB memory sticks I fervently encourage you to get several and rotate them. The memory chips they use can only be written so many times before they wear out. With 3 of them you can do this week's backup on #1, next week's on #2, the week after that on #3, the following week on #1, and so on. That way you have multiple backups in case one fails, and you may have a clean backup in case you find a more recent one has something nasty like a virus on it. (It does happen. Our IT guy at work learned the hard way.)

Jake (formerly Riposte3) said...

There's a reason I don't keep anything important solely on any "cloud" services, if I can help it. I do need to figure out how to back up my Google Drive files, though.

For my computer, I have a 1.5 TB USB hard drive and a simple rcp script that I run every couple of weeks. I also write a disk image every few months in case of severe issues.

Critical files (tax records, gun records, etc.) also get backed up to thumb drives. Now I just need to get a fire-resistant document safe to keep them in.

What surprises me is how many people think that what I do is overkill.

Jake (formerly Riposte3) said...

Now that I've read the linked article, I have to say the most chilling part is Apple's lax approach to security, and this little quote:

"Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life."

That's right. Information that is routinely given to random strangers in people's normal course of daily business is what Apple relies on to authenticate your identity and grant total access to your accounts and devices.

Borepatch, you've written before about Apple's lax approach to security. Here's another one for the files.

drjim said...

A couple of years ago I built an NAS box for our home network. Just an older Intel ATOM-powered PC that I'd used for some other project. It's got a 4 drive RAID 6 array in it, and everybody in the house has their own share on it.
When I bought the original drives, I bought twice as many as I needed (8 drives total), so as the drives eventually fail (and they will!), I can replace them with an identical drive, and let the array rebuild itself. It should last a good while!
And EVERY PC in the house is on a UPS to protect it form those "OOOPS!" moments when the power blinks.

Dwight Brown said...


As Borepatch's resident Apple fan boy, I have to ask: how would you do it differently?

Keep in mind that if Apple (or anybody else) required something like a postal email request with proof of identity, or a fax, they'd probably be getting flamed just as hard in the opposite direction. "Waaaaaah! I'm locked out of my Apple account, and they won't reset it until they get and process a letter with a Xerox copy of my driver's license! That's going to take a week! Waaaaaah!"

(Substitute "Amazon", or the large company of your choice, for "Apple" in the above.)

We all know that you can have one of "security" and "convenience", but we're professionals.

Jake (formerly Riposte3) said...

"As Borepatch's resident Apple fan boy, I have to ask: how would you do it differently?"

Hmmm, how about security questions, set up by the account holder beforehand, to prevent unauthorized people from calling in to gain access? Oh, wait:

"In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up."

The hackers couldn't answer his security questions, but Apple gave them access anyway based on other information that people hand out to strangers on a daily basis. Why bother with the security questions if they aren't going to actually, y'know, prevent access by people who can't answer them?

Dave H said...

I'd put more stock in security questions if they made sense, but some of them are impossible to answer if you don't remember what you set up in the first place.

"What is your favorite cereal?" You mean today? Or six months ago?

I realize the answers don't have to match the questions, they just have to match whatever you said was the right answer when you set it up. But the idea of using a question is so you -can- remember what you set up.

Borepatch said...

I think that you're better off assuming that the Cloud's security will fail you, and have your data safely backed up under your control.

Dwight Brown said...

"Why bother with the security questions if they aren't going to actually, y'know, prevent access by people who can't answer them?"

But is that an example of a hole in the policy (or a badly designed policy), or is that an example of a human error (somebody didn't follow procedures)?

Dave H. has a good point, too. I've run into some of those security questions where I say to myself, "Am I going to remember what I put in here six months from now?" And how many of those questions have guessable answers? How many people's first dog was "Spot"? [raises hand] How many colors do people realistically put in to the "What is your favorite color?" question? Does anyone answer "The Clan Borepatch tartan", rather than "red", "green", or "blue"?

Dave H said...

And how many of those questions have guessable answers?

Anybody remember "Wasilla High"? That was the answer to one of Sarah Palin's security questions that someone was able to guess and gain access to her email account.

This isn't a new problem, it's just that Google and the like are encouraging us to trust more of our valuable data to them.

Dwight Brown said...

I wish I could find it now (I think it was on TJIC's web site) but somebody did a really funny riff on challenge-response questions.

"The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men"

"Go forth and kill! Zardoz has spoken!"

Jake (formerly Riposte3) said...

"But is that an example of a hole in the policy (or a badly designed policy), or is that an example of a human error (somebody didn't follow procedures)?"

From what I read in the story and the followups, Apple officially claims the latter, while it appears to really be the former (multiple test attempts using the same method succeeded, and two separate Apple tech support reps confirmed it as policy).

"how many of those questions have guessable answers?"

Who says you have to answer them accurately? If it asks for your mother's maiden name use your father's middle name (or the other way around). If it asks for your first pet's name use your second pet's name instead. Just be consistent so it's easy to remember on different sites. At some point, the user has to assume some responsibility for covering the security holes that are created in making a system easily usable.

Of course, Borepatch is absolutely right - trusting the cloud's security to keep your data safe is foolish. If the cloud has access to your locally stored data, too, then some form of unconnected backup storage is the only way to ensure that it can't be lost, like what happened to the guy in the story.

Anonymous said...

Seems to me that it's only wise to keep backup media under your own physical control — with perhaps a backup-backup stored in as safe deposit box (or elsewhere offsite) and replaced/updated as needed.

Nothing important of mine is going in anybody's cloud.

Xi Roswell said...

Backups address rather a lot of security problems. Indeed so sure. So we really got to be thankful that IT people exist. We surely need them for security.