Browsed by
Category: Basics

The Wirecutter on 3-2-1 Backups

The Wirecutter on 3-2-1 Backups

3-2-1 is the watchword for how to do backups.  3 copies, on at least 2 different media, and 1 offsite.  I have written about this a lot, as I consider it the most basic of security basics.

If your data is backed up offsite, ransomware can’t get to it, fire and flood can’t get to it.

Now The Wirecutter has thrown its backup hat into the ring.  They might have a few (million) more readers than I do, so I will go ahead and link to them.

I am not a huge fan of their cloud pick, Backblaze.  I have tried it and found it to be unacceptably slow.  But it’s probably the easiest to use for the non-technical user, so my disagreement is little more than a quibble.

I am currently backing up with Duplicati and then syncing my backups to pCloud.  Duplicati is awesome but I can tell you: when it comes to ease of use, it’s no Backblaze!  If you just read that and felt like you were going to enjoy that challenge, I say, go for it.

pCloud is just as easy to use as Backblaze, but it does not offer anything like as much functionality as Backblaze.  But it’s comparable in price, and if you can handle Duplicati, pCloud won’t even make you break a sweat.

Anyway, here’s the TL;DR:  Make. Your. Damn. Backups!

Nukes Inbound to Hawaii! NOT!

Nukes Inbound to Hawaii! NOT!

The word on why we got treated to a false alarm about missiles heading for Hawaii is this:
(over-simplification alert!)

  1. What was supposed to be an internal-only test message got misdirected to the live alert system
  2. When presented with the much-maligned, “Are you sure?” prompt, the operator did what we all do reflexively.

They clicked Yes.

There’s a security lesson here.  Stop and take a breath and read all these prompts.  Clicking OK automatically is the road to ruin.  So many security-sensitive things are prompted like this.  You get this one chance to stay safe.  Take it.

Have a Random New Year

Have a Random New Year

Randomness is important.  You use it in the physical world when you shuffle a deck for a game of cards or roll a D12 for a result in Dungeons & Dragons.  But you need it even more in the digital world, and it’s more difficult to come by.  You need randomness to select one-time-use keys that you share for symmetrical encryption, to select strong passwords or passphrases, to run fair games at things like online poker and casino games.

The problem is, that for all the miraculous things it can do with random input, software is very bad at generating it.  Algorithms are deterministic, even if they are designed to be difficult to predict. When you use a function like RAND() in Excel, or get randomized challenges in low-stakes gaming, you’re usually getting the output of what’s called a pseudo-random number generator (PRNG).  The PRNG takes a numerical value, called a seed, and generates a series of new values from it.  If the seed is known, then the new values are easy to predict.  If the seed is not known, it’s a lot more difficult — but not impossible.  If you reuse the same seed you get the same sequence.  This property can be useful sometimes, for example, if you want to be able to reproduce a series of plays in a game.  But mostly, it’s a very bad flaw in any process that needs randomness.

PRNGs are fine when it doesn’t matter.  But when it matters you need to harness the unpredictability of the physical world.  One great Internet resource,, uses atmospheric noise to generate its random numbers.  At that site, random bits are available anytime you want, in many forms.  Some are free and some are available to paid members.  It’s an important function for the safety of the Internet as a whole, and it’s worth supporting.

Another use of physical randomness is in EFF’s Dice passphrase scheme.  If you read the instructions, you’ll see that they really don’t want you using a computer — which might be compromised — in any step of the selection of a password/passphrase that matters.

Internet companies have to generate thousands of strong keys per second for encrypted sessions.  Cloudflare, for example, found a very groovy way to solve this problem:

[Photo: Dani Grant]

So my New Year’s wish to you: keep it random!


Safer Email

Safer Email

Today let’s think about how to be safer using the oldest internet application still in common use: email. Email predates the Web by about twenty years. So when young people accuse it of being “for old folks” (meaning, people like me) I have to admit they may have a point. But email is still far and away the best mode of communication for business correspondence, and for the exchange of personal messages longer than 160 characters.

And long before the web, but shortly after the creation of email itself, spam was born. In addition to being annoying, spam can create some information safety issues. So there are two main things I want you to remember when seeing spam in your inbox: use the spam you get to better train your filter, and never click on any links nor open any file attachments.

All modern webmail clients have built-in spam filtering. Personally, I use Gmail to read my mail, even mail from other domains (such as The benefit of using an established webmail system as your mail reader is that the provider’s spam filters have been exposed to billions and billions of emails, and so they are very well-tuned for a low rate of both false positives (when the filter puts a valid email in the spam folder) and false negatives (when it delivers actual spam to your inbox). The less of either, the happier you are with the result.

You train spam filters by identifying both false positives and false negatives for it. For example, in Gmail, there is a “Report Spam” menu option or button in every non-spam folder and a “Not Spam” button in the spam folder. You should make use of these whenever possible. That means occasionally visiting the spam folder to look for those false positives. The more you do this, the less it will be necessary – because the filters adjust their criteria better to the kind of email you get and even to your subjective tastes about what is and is not spam.

One notable subset of spam you always want to be excluded from are the scams. Disney vacations, prizes in lotteries (that you don’t remember entering), gift cards and many more unbelievable windfalls show up in your mailbox by the hundreds each month. As you no doubt know, these are nothing but scams to get your personal information or attempt to extract redemption fees to claim these imaginary prizes. Mark them all as spam.

And of course, there really is no dead Nigerian prince whose family lawyer wants to pay you 20% of $1.6 billion to help them expatriate the money. The only thing that you will get for responding to these is an escalating series of demands for fees to cover the assorted (made-up) mechanics of moving the (imaginary) money and finally (never) paying you. Sending these emails is a crime, and you can report it to the FBI at

Phinally, phishing. Phishing is the sending of emails carefully crafted to look like they come from a legitimate organization, such as a bank, a government agency like Social Security or the IRS, or an employer. The typical phishing email will have a message designed to create some sense of urgency, and links crafted to resemble the links to the legitimate website being spoofed. For example, the email may alert you to a credit card fraud attempt, and the links embedded go to (for example). The problem here is, Chase Bank’s website is really at When you go to, which was created by the scammers, you will indeed find the familiar login screen and so on. When you log in through this screen, you will land on the familiar opening screen of However, because you logged in through the scammers’ fake page, they’ve snagged a copy of your ID and password in the process. It is easy to do that and then pass your valid credentials along to the real site, so your experience is the same as usual. The fake login page looks very real because the scammers can easily go to the public pages of the real and grab copies of all the graphics, fonts, content, style sheets and even a fair amount of the programming code needed to make certain pages look and work the way the real ones do. The result is a presentation that even professionals will have a hard time distinguishing from the real thing. It sounds like a lot of work but it pays very well. One single phishing attack in April netted $495K from a Michigan investment firm. And any given phishing email can go to millions of users at a time.

The lesson here is, never click on links in emails, unless the senders are personally known to you, or for things like password resets that you know you initiated within the past few minutes. Certainly, for financial and government services, you should navigate to their websites by way of known links you have previously saved as bookmarks or stored in secure password-manager records. If you use a search engine to make initial contact with an agency or company, make sure that you skip past the sponsored links and click only on the most relevant non-sponsored one. Phishing emails, like all scams, should be reported to the FBI at

Whether it’s spam or phishing when an email arrives that “wants” you to click on its links, leave it wanting. Especially, never click on “unsubscribe” links in spam email. Doing that simply confirms for the spammers not only is your email address valid, but you actually read their email. They will reward this by showering you with much love. And spam. Well, mostly spam.


A Modeling Job for You

A Modeling Job for You


Motherboard, a part of Vice magazine, has published a very good Guide to Not Getting Hacked.  It’s also available as a PDF.

One of my favorite sections draws from the EFF Threat Modeling page.  “Threat modeling” may sound like something a management consultant would explain to you with 19 PowerPoint slides for only $45,000.  But it really just consists of considering these five questions:

  1. What do I want to protect?
  2. Who do I want to protect it from?
  3. How bad are the consequences if I fail?
  4. How likely is it that I will need to protect it?
  5. How much trouble am I willing to go through to try to prevent potential consequences?

Ultimately the goal of information security is not to protect the information assets absolutely.  Protecting anything absolutely is not even theoretically possible.  What we’re trying to do here is, make the information assets more trouble to attack successfully than they’re worth.  If stealing a new sprocket design from the engineers at Spacely Sprockets is worth $4 million, then we have to make it cost an expected $4.5 million or more to get.  That way, even success is failure for the attacker.

But if preserving that design is worth $4 million to us, we’d be idiots to spend $4.5 million defending it.  We could post it on Facebook and save ourselves $500,000.

Threat modeling is really just taking a breath, refusing to panic, and applying all-too-UNcommon sense.

Internet of Crap

Internet of Crap

Welcome to the wonderful world of the Internet of Things. You’ve probably seen this term in the news a bit lately. Perhaps you read about it in connection with a massive botnet called Mirai, or it’s even more potent descendant, IoT_reaper.

The term Internet of Things (IoT), refers to items – other than computers, tablets or mobile phones – that are connected to the Internet and communicate back to their manufacturers or distributors. A prime example of this is, printers and copiers that provide supplies consumption and problem diagnostic data back to the manufacturer. This allows service calls and supply replenishment to arrive with minimal delays in production. A great benefit, to be sure.

The problem arises when large numbers of consumer devices start using this same capability, but without much in the way of careful design or attention to the possible security compromises. A buyer of a $1,500,000 production printer may safely assume that some attention has been given to this issue by the manufacturer. They also know that $1.5M worth of business gives them quite a bit of leverage to press the manufacturer to fix it if something is wrong. But a buyer of a $20 “smart” light bulb has neither of these safety factors. For $20, you get what you get.

As more low-cost consumer devices all start turning up with internet capability, we start to see some very odd ideas expressed in this technology. Late in 2015, we learned about a vulnerability in Samsung refrigerators that exposed customers’ GMail logins (including passwords) to cyber-criminals. Many people had questions about this. “How could this happen?” “Have they fixed the problem?” My question was, “WTF were REFRIGERATORS doing with GMail logins?”  This illustrates the first principle of IoT security

  • 1st Principle of IoT security: Don’t give your devices information they don’t need. Think about what could be the impact, when information you give to something like a refrigerator is leaked to cyber-criminals. If a device works and does what you want despite the fact it’s still asking for some information, drop the matter. Its feelings won’t be hurt; it has no feelings.

As I have said a number of times in this space, the essence of security is not absolute, but relative safety. Make trade-offs intelligently between risks and benefits.

When I get a new device, one of first things I do is assess what I will gain by connecting it to my network and to the internet, vs. what might be at risk if the device’s security is not up to snuff. Most of the time, my conclusion is, “don’t connect it at all” or “connect it to the home network but keep it off the internet.” If your router has a parental controls feature, where you can restrict your kid from getting online, you can also use that to restrict your fridge from getting online. Most devices’ main reason for being connected to the Internet is to feed data back to its manufacturer that can — at the most benign end of the spectrum — be used for marketing purposes.  Consider that when assessing the risk side of this question.

  • 2nd Principle of IoT security: Don’t allow devices to connect directly to the Internet or the rest of your home network unless necessary.  Figure out what you’re really giving up if you don’t connect the device. And if the answer is, “not much”? Don’t plug in the wired connection, don’t give it the WiFi password, just say no.

Brian Krebs is an information security researcher (hacker!), with a blog that is very popular in our field. He does a lot of independent investigation of cyber-criminals, and as a result he often draws their ire. He has had heroin shipped to his door, and they have spoofed phone calls to police that result in the SWAT team being dispatched for the non-existent “hostage situation.”

Last fall, Krebs’ blog website was attacked by the largest denial-of-service that had ever been seen to that point: a botnet directed over 660 gigabits/second of bogus traffic at his server. For comparison, the fastest connection available from Time-Warner in Rochester is 50 megabits/second, so this was larger by a factor of 13,200. All of that focused on a single web site will disable the servers just because of the volume.

Upon investigation, the source traffic was found to have been infuriatingly simple. The attackers had just scoured the internet for connected IoT devices and checked them to see if they still used the manufacturer’s default username and password to allow remote access. They were able to find millions that did, mostly CCTV cameras and cheap routers. Those were harnessed by the criminals to start sending Krebs a synchronized tidal wave of garbage network traffic. It’s tempting to say they were “hacked” but they weren’t, really. Their owners had offered them to the public with the documented default logins, effectively free to use for all comers.

  • 3rd Principle of IoT security: Change the default username and password. If the install process forced users of all new devices to choose any non-default username and password, that alone might have been sufficient to stop the attack on Krebs.

So to recap: our three principle of IoT Security are:

  • Don’t give your devices information they don’t need.
  • Don’t allow devices to connect directly to the Internet or the rest of your home network unless necessary.
  • Change the default username and password.

Yes, there are problems in IoT security, and we’re going to need the manufacturers to address poor designs and worse implementations. But by applying these three principles, we can reduce the impact on our own lives, so that we still get some benefit from these modern things.


Time to Go!

Time to Go!

Where?  To the Rochester Security Summit of course! It kicks off tomorrow for two days of security geeking-out.  I am looking forward to it plenty.  My talk is on Friday at 2PM about full and responsible disclosure of bugs, bug bounties and so on.

This weekend I will make a post here, covering that topic.

3-2-1 Backup

3-2-1 Backup

Backup is the most basic information security measure.  Whatever else happens, your worst-case, baseline fall back is: restore from a backup and get back to work.  So you always want to make sure your backups are rock-solid.  A rule of thumb for how to ensure that is easily remembered as, 3-2-1.

3-2-1 backup means that you should:

  • Have 3 copies of your data (minimum)
  • Keep backups on at least 2 different media
  • Store at least 1 backup offsite

So you can see that this is not as hard or as involved as it might seem, I can give you an example from real life — from my own desk, my own PC.  I had been using CrashPlan Home for all backups here, but they just announced that the entire Home edition of the product is shutting down over the next year.  The deadline they have given me to get off is mid-January of 2018.

It’s true, I have two things that some home users do not: a second hard disk in my PC and a file server.  But the same effect can be had for anyone with, say, a large USB drive and a network disk like a Seagate Central.  The other thing I need, and that you’ll need, is a cloud storage service.

Backup #1: goes to my second hard disk.  There are many hazards backups protect against.  Probably the most commonly realized one is what we call PEBKAC.  That means, Problem Exists Between Keyboard And Chair.  In other words, this one is for when I am an idiot.  It will not protect me against hardware failure (unless that miraculously spares the one disk drive).  So, in that case, I move on to…

Backup #2: my file server.  This one will be OK even if my entire PC fails.  It’s also the one that I encrypt, because it’s also the source for a file-sync routine that goes to…

Backup #3: my cloud storage provider.  This is the one I will have to count on if the house burns down.  To do this, I chose a storage service that, like DropBox, does a continuous synchronization as its contents are updated.  Once primed, it will update every time the source backup updates.  I selected pCloud for this, because the yearly price for 2TB of storage was the most competitive, while still supporting the essential sync function.

Because I don’t trust the encryption at the file storage service alone, I am using a backup software that provides local encryption.  For the software, I chose Duplicati.  It’s simple, it’s free (but make a donation, if you can!) and it’s open-source.  It also supports a vast array of cloud storage providers, so if I want to switch in the future, I will probably be covered.

3-2-1: make sure you can get a working copy of your data if you need to.  Somewhere!


Death and Taxes

Death and Taxes

Death and Taxes. With enough lawyers you can avoid most of the taxes, but as sure as I am typing these words, and you are reading them, every one of us is going to die[*]. While we each have a will to cover our possessions and assets, how many of us include in that document what to do about digital assets? More to the point – if someone dies and leaves no will, the law is reasonably straightforward about what to with their possessions and finances. But our legal system has not yet really begun to address consistently what to do with the dear departed’s Facebook or Twitter accounts, their email, websites, and so on. These are digital assets but there’s not necessarily a physical item that corresponds to any of them. To make sure these are handled according to my wishes after I die, I have made a “data will.” Note: I am not a lawyer and this is not legal advice. If you want your “data will” to be enforceable as part of your actual, legal last will and testament, you must consult a lawyer.

What’s in a data will? This will differ in the details for everyone but I think these major sections are a good starting point. First and foremost, passwords. If you are using some kind of password management tool (as I suggest!), this will be easy. You will only need to tell your survivors where the password data resides, and what is the master password to gain access to it. If there’s no password manager wrangling all your individual passwords, you’ll have to list them all in this document, or an attachment. The password list or manager also provides a map of where you had an online presence and business or personal relationships, which will help in other ways.

If some of your online accounts have two-factor authentication such as an app on your phone that generates a 6-digit code when logging in from a new device, etc., make sure the document details where to find that, and how to use it. Also, include information on how to unlock your phone!

Email is still a fundamental service in the online world, especially when it’s the focal point for most sites’ password-reset processes. So make sure your document includes an abundance of information as to where your email is delivered, how to log into it, and pointers to the password manager entries for the email password (or the email password itself).

You may wish some of your online accounts and services to continue running. For example, you may host a family website, or use a backup service that includes your spouse’s or other family members’ data. Instructions as to what should be kept going vs. what can safely be shut down will be useful here. Also consider that any auto-pay arrangements, such as monthly or annual billing to a certain credit card or via PayPal, might not be obvious to your loved ones. Make these arrangements explicit in this document.

Finally, how to notify online friends & colleagues of your death. Many of us are members of virtual communities that might not have visibility to other more traditional ways our death would be communicated, such as local obituaries or even Facebook pages. If you are a member of professional mailing lists or other such niches of cyberspace, make sure your survivors will know how to send a notification to those communities. You may have been working on a joint project at the time of your death: it’s only polite to let the team know you won’t be at the next meeting.

Once you have completed this awesome document, you have two main things to worry about: How to make sure it has the desired effect once it’s needed, and how to keep it safe, meanwhile. I mentioned above that if you want it to be legally enforceable, then you need to consult with a lawyer as to how to make it part of, or an attachment to, your will. Be sure to confirm whether or not it will become part of the public record – if so, you will want to work with your lawyer to conceal the passwords and other sensitive information in your document.

As for the security of the document while you’re still alive, I refer back to the three most basic concepts of information security: Confidentiality, Integrity and Availability. All three of those apply here, with very high stakes. You need to be sure the document is not disclosed to anyone unauthorized, that it is not altered without your knowledge, and that your survivors can get to it after your death without serious obstacles. There are many ways to accomplish each of these three things, but what I will delve into a future post is document storage “in the Cloud”, and how that can address all three of these concerns.

this article originally appeared in the September 2016 edition of The Empty Closet.

[*] – except maybe Peter Thiel but really… who wants to be a vampire?

The Most Basic of Basics

The Most Basic of Basics

There are three elements of safer computing:

  • Confidentiality — keeping what must be private, private
  • Integrity — making sure no changes are made without your authorization
  • Availability — making sure you can get to everything you rightly should be able to

Everything I am going to suggest to you in these pages supports at least one of these elements.

There are a lot of things to talk about, and some of them need a pretty detailed discussion. But to begin, I am going to ask you to look at the most basic – even unglamorous – things that are just so important they should never be neglected. So let’s start right out with the most unglamorous one of all, but also the one most effective at helping you recover from the greatest variety of hazards.


All your important data should be backed up, ideally in two or more different ways. For example, if you copy everything to Google Drive or Dropbox, you should also get an inexpensive removable drive like a Passport or a MyBook and copy everything to that.

Backup is really cheap protection against so many hazards, everything from a ransomware infection to a house fire. Using different locations diversifies your protection. If the MyBook is in the house next to the computer when fire breaks out, it’s not likely to be usable as the backup. On the other hand, if you need to get files back quickly after a mishap like an over-enthusiastic disk cleanup, a MyBook will be five to fifty times as fast as pulling data back down from somewhere on the internet.

Make sure that however your backups run, they don’t require you to remember to do something every time. You can set them to be scheduled for a certain time or choose a backup scheme that runs continuously, monitoring for new or changed files all the time and backing them up in the background. The schedule you choose determines how much data you can expect to lose after a disaster. What this means is, if you suppose you might lose your main disk at any random time, and you have a backup that runs once a week on a schedule, then your data loss from what hasn’t been backed up can be up to seven days’ worth of changes. If that’s tolerable to you, then a weekly schedule may be just fine. But if you cringe at losing even seven hours – never mind seven days – of changes to your data, you should be looking for a backup that runs daily or continuously.

Finally, a bit that too many people forget: testing.  Every so often (I would suggest once a month: set a calendar reminder), you have to test your backup to make sure it does what it says on on the tin.  Pick a file at random from a recent backup, and restore it.  Don’t overwrite the original; choose another location.  You want to be able to confirm that the restored file and the original match.  Besides confirming your backups actually work, it also keeps your hand in on working the restore process.  In an actual emergency where you need to restore critical data, deer-in-the-headlights is not a good look on you.

A wide variety of free and low-cost backup software is available. Check out these superb write-ups from Tech Support Alert, a site that specializes in reviews of freeware. For Windows, browse to and for Mac,


Questions?  Send them to


This article originally appeared in the May, 2016 edition of The Empty Closet