Smashing Security podcast #123: Backups – a necessary evil?

Hello, hello, and welcome to Smashing Security episode 123. My name is Carole Theriault.

And I'm Graham Cluley.

Did you hear that? That is the gorgeously gobby Graham Cluley. And the poor little sausage has a little throat problem. Don't you, Clu?

Just a little one, yeah. It's just someone's stolen my data, but they've stolen my voice instead.

Is your neck all wrapped up in a big towel and you got lavender stuffed into your pants and stuff?

There's always a slight whiff of lavender about me anyway, but yeah, I've got a little bit more than normal. So why don't you walk us through exactly what happened here? Do I have to? No, I was kidding. Scrap that, scrap that. So as you can see, folks, recording this week is going to be rather difficult.

My name's Graham Cluley, and I'm joined by my good chum and co-host, Carole Theriault. Hello, Carole. Hello, Graham. Hi there. And we are here today for a very special splinter episode. Buckle your seatbelts, people. Indeed. And we are joined by a special guest returning to the show, Maria Varmazis. Hello, Maria. Hi. Hello. Oh, I imagine life has changed for you a lot since you last appeared on the show.

Oh, the fan mail just comes flooding in. And I just don't know what to do. You're welcome. Yes. You're welcome. My life has forever changed. It's been so amazing. I bet you can hardly leave your house now. The hordes of paparazzi. Exactly. They're so annoying. It's just a thing.

What we're going to talk about today in this special splinter episode is we're going to talk about backups. Oh, boy. Backups in your home, backups maybe in your small office. We're not going to look at enterprise backups as such, but it's more sort of how you're going to deal with your personal computer and devices and keeping those backed up.

No, I'm not going to be revealing lots of, you know, my backup schedule. Okay, live on air. Intimate details. So this is going to be a really interesting show for me. I know that you guys are both backup whores. What? So, well, you know. For the record, you can never have too many, maybe? Exactly. I wish I had more backup than I do. I never feel I'm fully secure in my backing up-ness.

Call me a backup whore. You make me feel I'm Tina Turner singing Private Dancer. It's my private backup. My backup for money. I don't do backups for money. I do this for free. I do it because I just think it's a jolly good idea to have a backup and to make sure that that backup is secure as well and that if I need it, I can get back up and running as quickly as possible. So I think the first thing is backups are great. But in many cases, people haven't done a backup recently enough. So you'll come across someone who's maybe accidentally overwritten some of their data or they've had a hard disk failure, or maybe they've been hit by something ransomware, and you say to them, have you got a backup? And they go, well, I did one last October or something that. And that's a backup which is older than six months or something.

I have been that person. Really? I have been that person.

So what happened? How did you lose your data?

Sorry, I didn't lose my data, but I'm the person who, you know, sometimes in the past I've had months go in between backups.

So my first rule of backups is you have to, as much as possible, remove the human element. Because if you're relying on yourself or somebody else to manually do the backup, it ain't going to happen. You're sitting in front of a computer device, which is really good at remembering to do things and doing things on a schedule. Computers screw up things all the time, but if it's a boring mundane task, which frankly doing a backup is a boring mundane task, if it's something which will be easy to forget, then get your computer to do it on a schedule instead.

I think that's actually really good advice because a lot of people, me included, have put off doing a backup, a manual backup because it slows everything down just a bit. And you're like, I'll do it later, I'll do it when I'm finished doing my work, and then you forget.

Well yeah, a lot of people do say backup slow things down. I think the initial backup can be a lengthy process, can't it? Because when you haven't got any previous backup, if you're backing up your entire hard drive or all the files in your user folder or something like that, then that may take a while to put onto a device or upload to the cloud or wherever it is. And we'll get into the different places maybe you should back up. Once you've done that, then you begin to get into sort of incremental backups, where the backup may only be a backup of what has changed since the last full backup instead.

Unless you're like me and let months go between backups, and then that incremental backup is massive. And then it becomes a snowballing problem. I'm just awful about it.

First of all, let's talk about why we actually need these kind of backups, and then we'll get into sort of different things that we can do to do them. As I said, accidents happen. So I used to be a computer programmer. I remember way, way back, you know, 25 years or whatever, when I was programming on a computer which didn't even have a hard drive, I was saving my source code onto floppy disks.

Well done, Grandpa.

Glad you said it. And floppy disks, obviously, are not the most reliable storage format, and they're notoriously bad sectors and things like that. So I would have piles and piles of floppy disks. And I'd be so paranoid I was going to lose my work that I'd save it on this floppy disk, but then I'd have another floppy disk, which was a different color, or labeled with something else. And I'd have all these different versions and archives of past versions of my source code. And I know how organized

you are as well. So they're just sitting on your desk, basically, right? Yeah, no, a pile. Literal strewn everywhere. Strewn around me like I was one of these people who hoards inside their house. You know, just mountains of floppy disks everywhere. But that was kind of what it was like because I had nowhere else to put these things. You didn't have USB drives. You didn't have anything else. So you had to use this kind of medium. Yeah, or you've had a virus threat, for example, or someone's stolen your data. Your house burns down.

Your house burns down. Exactly. So these are the other threats. There's the physical damage which can happen if your house gets flooded or if you suffer a fire or something like that. Cat pukes on your discs, whatever.

That has never happened to me. That's why I would never mention it.

So something like that happens and you want to get your data back and it's, oh no, this has happened. And so this is my sort of second rule is that if you've got a backup, if the only backup you have is inside your house or another drive which is on your desk, that's not really a backup. I mean, yes, it might save you from those sort of accidental deletion of data or something like that. It's better than nothing.

It is better than nothing. And all of these things are better than nothing. And, you know, if you're going to do something, just do something.

Do it properly, is that what you're saying? Yeah. So we're talking about people at home, right?

This is going to be, okay. So what do they have to back up? So I can understand things like photos, email, you know, some files, but it just sounds like you won't have to back up your entire system if that necessary.

Don't need to back up every single file on your hard drive because the operating system itself, you know, maybe you've got the CD-ROM or you're able to reinstall it onto another computer. Applications you can reinstall from the original media or you can download those from the net if you need to. It's the files which actually belong to you, which you created. So it'll be the photographs. It will be, you said emails actually, but a lot of people will be using a web-based email system.

That's true. Although you may still want to back that up. There are arguments for doing that.

Some people still use POP and they download their emails and some people still do that. Yeah, some people are doing that. And there are services available if you want to back up your Gmail, for instance. You may want to back up your contacts details, your calendar perhaps. You may have database. You may have Word documents. Do you know what? You just have reminded me. So, I don't know, this is probably about five years ago. We were robbed at our house. Right. So a backup to another drive, maybe on your desk or to a NAS systems, NAS storage or something inside your home office or something like that is a good idea. But I would argue that it's not a real backup because it is still at risk, although it probably will avoid the accidental deletion or something like that.

Oh, that's nasty. That's nasty. But they're nasty little buggers, aren't they? They are. That's just mean. But they know how to pull on the heartstrings and they know how to convince you to pay up. So the thread I'm picking up here is that people are very undependable and we should just be misanthropists and not trust ourselves or anyone else. The thing is, though, Graham is all these things, right?

A killer. There's always something better to do, right? There's always a video of some... I don't know.

Backing up's pretty fun. There's always a video of some Irish folks chasing a bat out of their kitchen. Carole sent me a YouTube video. I can't remember if it was this morning or yesterday. She sent me a video of some... Was they Russian kids or something? Anyway, some Eastern European kids from 1969 who were juggling tables on their feet. There's always something more interesting, like your phone ringing. And that's why you're not going to backup your thing. Quid per, no. Done and done. So I think, yes, back up to a local storage device because you might have an accident on your computer. You may overwrite the data. You may have some sort of disaster. Pretty sweet, right? That it happens when you're, I guess, asleep in your little bed. But I know people who turn their computers off, like off, off. And I'm thinking of my mother, but she's not the only one. I know a lot of people that turn off Wi-Fi throughout their house in the evening as well. If you haven't got a computer which will automatically wake up and do those sort of things from sort of a sleep mode, then yes, it has to be scheduled at a different time. I'm sure there are programs out there which will detect, oh, you're not doing anything between these hours. Therefore, I'm going to slowly start backing up to the drive. Yes, exactly. But if you're talking to people from a home capacity, do you really feel that that many backups is actually required? Because I don't.

What's the harm, right? If the software is only backing up stuff which has changed, what's the harm in it kicking off at midnight or whenever and just doing a very quick update of whatever has changed? Why not do it?

I don't think we should back up our crap. We should just back up the stuff we really want to keep.

Oh, but you can be selective, right? You can choose the directories. You can say, okay, just

Just pictures, just any videos that may have changed, any letters I've updated, whatever. That's the

Approach I take personally. And it

Makes it a lot faster.

Right. Yeah, exactly. Choose those kind of things rather than a blanket, you know, update everything. Operating system, libraries, and all those sort of things which you're not interested in or applications. No worries. Do that way if you want to.

So I guess what you're saying is the first question people should ask themselves is what would really upset you if you lost it? Right. Number one, write a list of that. Then number two, how often are you backing these up, if at all? And what's your plan B if there's a fire or you have a cyber attack or whatever?

Okay. So now I've got this backup daily, which is happening inside my office onto another drive. And that's all tickety-boo. You could do it onto a USB stick if you really wanted to, and then you could take it with you. You also want to consider things like encryption, obviously, and your hard drive should be encrypted. That's a whole different debate.

That is important, though. If you do a cloud service, especially if you're using a third party or you want to back up and you want to protect that data, encryption is the layer you need, right? Yes. I think we're talking more today about safety rather than security. If you get the sort of the subtle difference there. But yeah, generally with cloud services, my advice is you want to encrypt the data before you put it into the cloud service. Yeah, I think that's a really good point. Can we go back to the idea of encrypting your local drives for a second? Because I actually don't do that. And I feel really bad about this. I don't do that. I'm not saying it's a good idea, but I don't. You mean your local drives on your hard drive at home? Hey look, it's really easy to do. And it doesn't actually take that long. You could set it off running. Do a backup first, just in case. Obviously. In case it screws up. It's probably more important on laptops than it is on desktop computers, because a laptop you're taking to a restaurant, you're taking out to other people's work. Laziness. Just pure laziness. I'm just so lazy. And I'm just in the confessional right now going, oh, my God, I don't do any of these things. And I really should. This is my job. I should be doing these things, but I don't because I'm lazy. I think Marie and I represent more people than you do. Okay, I'm

Not ridiculing you. I'm sort of gently encouraging. I hope you—

Are not. I'm just saying, you know. Just shaming us. Shame, shame, shame. You know, it's just your passwords and the encryptions and the backing up and the security software and the firewalls. Once it's set up, then the computer handles everything.

You know what my personality is like, right? I'm a complete arse, right? I'm not arguing. I'm not arguing. But the computer does it all for me. Once it's set up, I don't have to worry anymore.

Okay, I have an idea. Why don't you come over to my house and set all mine up? Will you make dinner? Yes, I will make you dinner.

I would sort that out for you.

Okay. That'd be fun. Can you fly over to Boston then and do it for me next? I mean, I know in theory how to do these things, but I guess in my mind, if the more of these things that I set up, the harder it is for me to check my backups to make sure they're actually working. Well, yes. Yeah, that's a really good point. I'm way less worried about being burgled than just losing my, just generally not being able to access my file. So when I weigh those risks, I'm just need accessibility to be number one. Not to try to justify my poor choices in life. No, no, but I think I agree with you. I agree with you. I think these are really big things that people ask themselves. And it's great to hear Graham go, and you should do this, and you should do that, but there's the reality of it here too.

Right, so can I go to my solution for offsite backups now? Having said, I think it's useless taking your hard drive around to Auntie Jean every week and saying, can you put this in your Fireproof safe or something? Just don't think it's gonna happen. I think probably for most people, some sort of cloud backup solution is a good idea. There are some very consumer-friendly solutions which will do this, little programs which will run in the background. And again, will only backup the files which have changed. And then if you have any kind of disaster, it could be a hardware disaster. It could be that you've overwritten a file. I find myself using online backup restoration all the time because I've been doing a little bit of coding on my website or something, or I've deleted a file, which I then realized, oh, damn, that file I had six weeks ago. I really need it now. And I put it into the trash can. I can go to my online backup and it will dig it out for me. I could use my local backups as well, obviously, for that purpose. I just personally find the online backup software I'm using easier to use and to search for. So I use that. If I was doing a restoration of all of my data, then yes, I'd use the online off-site backup. I'll tell you, I've been using one for years called CrashPlan. It just runs in the background and never bothers me. And it tells me that, you know, it lasted a backup two minutes ago.

Isn't CrashPlan not available, though, for home users anymore or something?

Well, this is really one of the things which sort of made me think we should talk about backup. So CrashPlan, just a couple of weeks ago, put out this message to their home user customers saying they're no longer going to be selling the consumer version. If you want to keep with them, you have to upgrade to the small business version, at least, which does cost more money. And they've suggested that you could switch to some alternatives. And the one which they've sort of partnered with is an alternative called Carbonite, which doesn't do exactly what CrashPlan did. No, it does not. Doesn't suit everyone. There are other ones out there. There's Backblaze, Mosey, Cloudberry, which will use a variety of cloud drive services as your storage space if you wanted to as well. Personally, I've decided, you know what, I'm going to stick with CrashPlan because I know it works.

Yeah, and you have a business at home as well.

To be honest, I probably should have been buying the small business version from the beginning, rather than the personal one.

Okay, Maria, let's make a plan here. You and I are going to get off our backsides and sort out our backups.

Ideally, once you've set this up, it shouldn't require really any user interaction, right? It should just work. But the concern which you have, obviously, is that some of these solutions can get expensive, particularly when you end up being responsible for lots of different computers as well. Now, there is a solution which is, well, there's a few solutions which are less expensive. There's the CloudBerry solution, which is just a one-time purchase of a piece of software, which then uses your other cloud drive services, your Google Drive, your OneDrive, your Dropbox, and can use that space to put a backup into. What I would advise against, however, is some people think, oh, I've got these syncing services. I should just sync my hard drive or my documents with Dropbox, which isn't a bad thing to do, and then use that as a backup. And I don't really believe that is a backup.

Why? Wait, what? What? All right, clarify.

Let me clarify. So something like Dropbox, you can say, sync my documents. So you can then access them on your other computers. And that's all great. That all works fine. But I don't think that is a backup. And the reason is that if you get ransomware on one of your computers and it encrypts the documents in your Dropbox, then it is going to sync all your encrypted documents to those other devices as well.

Especially if you have sync turned on all the time, incremental Sync. So it comes back to this issue, which I mentioned earlier, of if your backup is accessible from your computer without having to jump through a hoop or something or log into something, then there is the risk that something like ransomware could actually damage it. Well, the Amazon Glacier would be great for someone like me who's storing a ton of family photos. I'm not modifying those ever. Because you don't need to access them or go back and forward all the time. You just want to have a second place.

Evil, though? Something like Amazon Glacier only costs, I mean, less than half a cent per gigabyte per month. So it's really, really cheap. It obviously gets more expensive if you want to extract, if you want to request data back out of it to retrieve. But it's, you know, for that kind of storage, it's perfect. So is this actually available for the consumer set? As a non-business, would I be able to use that? So I don't have to be some big fancy schmancy guy to do that. We've probably been talking about backups enough. Hopefully, we've got everyone thinking about the threats which are out there and how to protect against them.

Yeah, yeah. We've talked about that. We've talked about that. You have to test your backups.

So otherwise, you'll only find out your backup regime has failed when you least want it to fail, when you want to make sure it absolutely is working.

This isn't fun. I don't think anyone who tries to tell you this is a fun thing to do is lying.

You know what? I'm going to disagree with you. I love setting up little automated systems on my computer to go and do things.

Really? Again, I look forward to your visit. I look forward to your visit. Don't dilly dally. My backups need you. My files need you.

All right. I will pop around and we will sort it out. You might have to get your checkbook out for some of the services, but we'll...

Hey, I'm making dinner. I thought I'm making dinner.

Yeah, but your dinner isn't going to pay for the online backup service, is it? Oh, that's coming out of my pocket, is it?

Hey, now mac and cheese it is. There's nothing wrong with mac and cheese. You're right there.

On the bombshell that Carole is going to feed me mac and cheese, I think it just about wraps it up for today. If you want to find out more about us, go to smashingsecurity.com. You can buy swag at smashingsecurity.com slash store or join us on Facebook at smashingsecurity.com slash Facebook as well. Thank you. I love when Maria's on the show. She's a good guest. I wish this was a more interesting topic to opine on. Well, you know, I agree. But there we are. I promise I'll get you back on.

Well, maybe, Carole, in a future episode, you can tell the audience just how much fun it was when I came round and set up all your backup regime for you.

Oh, wow. Yeah. Hold on to your hats for that, listeners.