Google Drive, Backup and Sync, and Google Drive File Stream

For Mac and Windows users there are lots of ways to access files in Google Drive. You can work with document through the browsers or use the Drive App (recently revamped as Backup and Sync) to sync files in a local drive folder to google’s cloud. The new Backup and Sync app also lets you choose folders to backup to the cloud. While this is not the only thing you should do to backup your files, it is certainly a good thing to do.

This year Google also introduced Team Drives, which function as file servers–a team can have a folder, and team members can share and access files and folder there, based on group permission. If your group would like access to a team drive, please send email to help@cs.unc.edu. Team Drives do not show up in your Google Drive folder, but are visible in the browser interface.

We are currently an early adopter of Google Drive File Stream, but the software should be publicly soon. What this software does is mount your Team Drive and your Google Drive space just like a regular file server. This makes it easy to use your OS file interface to organize your files.

What about linux users? There are some options.

• rclone, which uses Google’s API to create a link to Google’s cloud. It also supports lots of other cloud services, so it’s a nice tool for folks who use lots of different could services. It does not provide automatic syncing for directly makes, so it’s more like using rsync over ssh to move files back and forth.
• Another free alternative is GNOME 3.1.8, which has added support for Google Drive. Though not a syncing system, it allow linux users to open and edits file through a window, and documents saved are synced back up to Google. Here are some instructions.
• GoSync is a python script that will sync folders to Google’s cloud every ten minutes, this may be a good option for making backups to Google Drive.
• Not free, Insync is a cross platform syncing client that supports linux, macs, and windows. $29.99 is the one time license fee for the current version, and you get unlimited installs to set up syncing to one google account. It offers more features than any of the free methods listed above.

It’s world backup day

Several years ago, I discovered that I had accidentally deleted my photos from my personal computer. Fortunately, I was able to use a recovery tool to get most of them back, but it was a bit scary and a lot of work, and I don’t know what I lost that I was unable to recover. Today is World Backup Day, and I figured I would take some time and cover what I believe is a decent scheme to make sure you have good backups.

The bottom line is you really need four instances of your data:

-Your working copy on your main computer
-A regular backup in a different location
-Two copies that are offline

Why so many copies? Well, there are at least fifty ways to lose your data. Most computers use a 1-2 drives that are not mirrored, so a disk failure means data loss. This is the most common way to lose a boat load of data. There’s just the usual threat of things degrading, see, for example, this article that a friend shared with me about file corruptions. And there’s also malware, crack, liquid spills–I could go on, but you get the idea.

So, ideally, you want a backup that’s running at least daily for your important files, and that will protect you from most of the usual failures. But for this kind of backup, mostly people use external drives or online service like Dropbox or iCloud, and these are prone to ransomware or data corruption from other malware, or an active cracker, as Matt Honan found back in 2012.

To protect against those threats, you should have a couple of copies of your data offline. For this, I use a bare drive cradle and a couple of disks–they stay at home, and every couple of weeks, I bring one into the office and run a backup of my workstation. I use two, because sometime one of them will fail, like the time one of the cats knocked one of these drives off the shelf. Since these are offline, they aren’t very prone to most malware. (But not all–something like Ripper would still be a threat.) These are really for diaster recovery.

And if you really want to be secure against data loss, you might also consider using a cloud backup service like Crashplan. These provide better protection against basic cloud storage since they can keep versions of your file going back, some for years after a file is deleted.

This all sounds hard, but it really isn’t. First step is get some external drives and some free software to automatically run backups. (See the links below for some options.) Rotate a couple of those to somewhere else where they are secure and you’re mostly there. Then, add cloud backup if you really want to keep your data safe. And finally, do a restore every once in a while to make sure things are working the way you think they are.

More information:

https://bilhays.wordpress.com/2017/07/30/google-drive-backup-and-sync-and-google-drive-file-stream/

https://www.lifewire.com/free-backup-software-tools-2617964

http://www.linuxlinks.com/article/20090105114152803/Backup.html

http://www.tomsguide.com/us/best-cloud-backup,review-2678.html

Eight Fold Path to Cybersecurity

Some thoughts on simple things people using windows (in particular), can do to increase their security. General thoughts work for all operating systems.

First: Don’t Panic. Cybersecurity looks insanely complicated, and it can be, but for most people changing a few basic behaviors can dramatically improve security.

Four Inner Paths

These are things you can do on your computer to help keep it safe.

Patch, Forrest, Patch

One of the most important things to do is to keep software, all of it, up to date. In addition to enabling auto updates for the windows operating system, you need to keep applications up to date. Two useful tools for this are ninite and qualys browsercheck.

• Ninite’s web site lets you configure and download an installer/updater for the most common applications used. Once configured, you can run the software to update all of the applications chosen, either in the background as a scheduled process or from the GUI by double clicking on it. The pro version is even easier to use.
• Qualys browsercheck is a free plugin that works with most browsers, and you can use it to check that the browsers, the OS and the most commonly breached applications and plugins are up to date–and if something’s not up to date, it provides a link to get the update.
• Remember, some security patches require a reboot to finish, so reboot your system after patching.

Use Anti-malware software and services

For personal use, my current favorite combination is Avast for antivirus software and Malwarebytes to help find malware and adware. Both come in a free version for home use and both offer additional paid services. Enable the auto-protection features in your anti-virus software, and do periodic scans for malware.

But you can do more than just this to protect yourself. Harden your browser with security plugins, HTTPS Everywhere and Privacy Badger from the EFF can help secure your browser connections and protect your privacy, and Bitdefender’s Trafficlight can help you fend off malware attacks against your browser.

Not actual software, but another tip is to manually configure the Dynamic Name Service (DNS) to use Google or OpenDNS. Google provides DNS at 8.8.8.8 and 8.8.4.4; OpenDNS provides DNS at 208.67.222.222 and 208.67.220.220. The reason this helps is that typically you get DNS server information via DHCP from whatever wireless router you are connected to. So a malicious person could provide you with bad DNS server data and use that to direct you to malicious sites. Information on how to configure DNS manually is found here: https://www.opennicproject.org/configure-your-dns/how-to-change-dns-servers-in-windows-7/

and here:

http://www.howtogeek.com/164981/how-to-switch-to-opendns-or-google-dns-to-speed-up-web-browsing/

Enable Two Factor Authentication

The idea of two factor authentication is that you use a combination of something you know (typically your password), something you have (typically a smartphone or some other key or device) and something you are (biometric data like your fingerprint). That way if someone does get your password, it won’t be enough to get into your account. Google, for example, will let you set one or more phone numbers for text or voice, or you can use their Authenticator app, and you can also set up a list of one time keys to keep in case you lose your phone. Make sure to set up more than one second factor in case you lose access to one of them. Google calls this two-step verification, more information is here:
https://www.google.com/landing/2step/

Paypal has a similar system, you can have a code sent as a text message, have a voice call to provide a code via a voice call, or answer security questions.

As an aside, if you use security questions, I strongly suggest you make up a list of fake answers, since real answers may be available online or may be obtained by social engineering. What’s your mother’s maiden name? Bling. Where were you born? Mars.

Get A Password Vault

If you are like most people, you use the same password in multiple places. That means if your password is compromised at one site, all other sites with that password become vulnerable. A password vault lets you set a unique password on each site and can help you generate, store and enter passwords via a browser plugin. Then you can make sure you have a few easy to remember but strong passwords for your computer login and the vault, but don’t have to remember passwords for the hundreds of site you visit. See this site for a comparison of popular vaults:
https://lifehacker.com/5529133/five-best-password-managers

One thing to note, many people store password in their browser. If you want to do this, you need to protect them by setting a master password–otherwise, the passwords are stored in plain text in your profile. For example, here’s how to lock down Firefox:
https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

Four Outer Paths

These are things that are involve using or keeping space to your advantage.

Make Regular Backups

Good backups protect you from data loss and from malware such as ransomware. My rule for good backups is pretty straight forward: you need four copies of your data, only three can be online at the same time, stored in two different locations. The first one is your working copy–that’s your laptop’s drive. Here’s why:

• You want to have a pair of disks for disaster recovery. Two external USB drives works just fine. Keep these off line at home, say, and bring one into the office and make a fresh backup every two weeks or so. Set a calendar event if you need to. This will help prevent someone from deleting all of your stuff. Don’t relay on cloud services like iCloud or Google alone–don’t let this happen to you.
• You need four copies of your data because one must be off line, you’re using the working copy, and you don’t know for sure that either of the other two copies aren’t bad. I know, it’s complicated, but if you let the number sink down to two copies, and the backup copy is bad and you don’t know that, when your working copy failed, you’re in it deep. I know, that happened to me–I had a tape backup system, but the tape I was using was bad and I didn’t know it until the drive failed and I tried and failed to restore the data.

So, one example setup is you pay for backblaze, carbonite, crashplan or something similar. The cost is pretty low and you get cloud backup that runs all the time in the background. Then get your two disks, and you’re set. And most operating systems come with backup software. Here’s how to enable backups in Windows 10.

Also it helps if you use two different methods for making backups, so if one method fails, you’re still making backups.

Scan your machine

We talked about ninite and qualys browsercheck, but it’s also a good idea to scan your machine from the outside. A simple tool for this is Shield’s Up, at grc.com. What this will do is show you what ports on your computer are open to the internet. Generally speaking, none should be.

Get Informed

Cybersecurity is daunting. But you can learn a lot really quickly. Here are some blogs that are useful in keeping up:

• Krebs on Security. Probably the best general topic security blog
• Schneier on Security. Bruce Schneier is a cyptographer and does a good job at explaining the balance of risk versus cost on the large scale, here’s one example.
• The New School of Information Security. Nice general site.

Do not worry if much of this is hard to understand, what you are looking for initially are just an idea of what’s happening and how it affects you.

Use a Virtual Private Network

If your workplace offers a VPN, use it. If you travel or just rely on random coffee shops for connectivity, consider buying a VPN service. A VPN will encrypt data from your laptop to a secure server beyond the control of the folks running the wireless access point you’re using. They can also protect your privacy, and that may be important depending on where you are and what you are doing. Privacytools.io has lots of good tips on VPNs and other privacy related software.

Going Forward

So, these are some things you may find useful. My suggestion is to take steps incrementally–work on one thing at a time and only make one change a week. Focus on making the change work for you, and you’ll make steady progress.

Increasing Browser Security

There’s been a rash of browser exploits the last year or two, mostly centered around Java, Adobe’s PDF Reader, and Flash. “Best Practices” (Best Practices really means “You should do this because I think you should.”) suggests disabling all of them, which is fine, but doesn’t really address what most people need, which is a way to use plugins they need when they need them, but block them the rest of the time. It is important to keep in mind that much malware gets picked up when visiting major websites. A cracker finds a hole in a web site, and then inserts a piece of malware that can take advantage of security flaws in Java, Adobe’s PDF Reader, or Flash, and your browser executes that code as your visit the website. Major sites such as NBC have hosted such malware, and for a while, Google served up malware in sponsored ads.

Here’s what I’ve come up with as a means for reducing my risk. I’m not an expert, but these measures are pretty easy to do and can help reduce your exposure to attack.

Use Two Browsers or Two Logins

The more you can separate your regular surfing and working with sensitive materials, the better off you are. Dedicating a computer to sensitive work is the best approach, but not practical for most people. Another similar option would be to use a bootable optical disk, such as the Tail iso, and reboot your machine to that before accessing sensitive data.

At a minimum, don’t use the browser you like to use for general web surfing for anything that is a potentially sensitive. If you use chrome for your daily dose of youtube and facebook, use Firefox or Opera for your banking and accessing personnel data.

Another approach is to use two accounts. Create one account for general use, and a second for use with sensitive data.

Keep everything up to date

It’s hard to keep everything up to date, but you need to do that. An easy way is to use Qualys’s Browsercheck. Make that your homepage, and then when you start the browser it will scan your system for updates to applications, plugins and the operating system.

Use OpenDNS with your laptop

OpenDNS provides free DNS services, and one thing they do is redirect you from known or suspected malware sites and help protect you from phishing schemes.

I particularly like OpenDNS because they also offer DNSCrypt, which gives you a secured connection to their DNS servers, which can help prevent man in the middle attacks.

Block Popup Windows

Use Firefox’s preferences to block popup windows. If you need popups for a particular site, you can enable an exception. Chrome does this by default.

Plugins

There are a lot of plugins out there you can use to help tighten security. Here’s a short list of the ones that I think are the most effective.

Adblock Plus

Adblock Plus is pretty well known, but in case you haven’t heard of it, it will block banners, pop-ups and video ads.

LastPass

LastPass is a free service and plugin that stores your passwords, encrypted, in a little database, and will fill in web forms with your id and password as well as other data. You can choose to store the passwords in their cloud, or you can store them locally, and it can sync passwords between browsers. Similar programs are KeePass and 1Password. The real advantage to this approach is that you use a long, strong password that is unique to each web site and service you visit, and you don’t have to remember any of them. When you need a password, you unlock the vault, LastPass fills it in for you, and you’re done.

One caveat, if you use a browser plugin to manipulate passwords, you really should segregate your sensitive work from your random surfing–the nature of the beast is such that the passwords are temporarily stored in ram in clear text, so if some bit of malware can dump the ram, it may have access to the password. Using a system like this is much more secure than, but it something to think about.

HTTPS Everywhere

The Electronic Freedom Foundation has made a plugin that will test and use HTTPS if it is availabe for all the web sites you visit. It’s called https://www.eff.org/https-everywhere, and is available for Chrome and Firefox. This will help keep your broswer sessions from being sniffed or highjacked when you’re in the coffee shop.

NoScript

There are a number of plugins and settings you can use to control what runs in your browser, but for Firefox, http://noscript.net/ provides the finest control. When you load a page, it will block all scripts and show you a list, and you chose the sites from which you will allow scripts to run. For similar control in Chrome, try NotScripts.

Both of these are painful at first if you’re using them correctly, because you need to read through the list of sites you’re allowing and limit what you allow. But once you have visited your usual sites, they are less intrusive. And they will show you which sites are trying to track you.

Additional Info

For additional settings, see the following web sites:

CERT on Securing Your Web Browser. This one does a much better job than I could to cover secure settings in Firefox.

Insanity.bit.com has a nice guide for securing Chrome.

Thanks to Alex Everett for helping with this article.

Encypting folders in OS X with encfs

encfs is a user level file system that provides encryption of files. It’s not the strongest form of encryption, so I would not suggest using it if you need very high security. It works with Fuse to allow mounting encrypted folders as if they were a remote drive. The result is an easy to use method of creating a space to store sensitive data, but without creating a monolithic disk image that has to be backed up in it’s entirety every time it gets touched. I had been using an encrypted disk image for this for a few years now, and the load on Time Machine or, in my case, Crash Plan, is pretty high. Also, this system will allow you to create an encrypted space in dropbox or other cloud storage system.

First, some caveats. If you do this and lose your password, you lose access to the encrypted files. Period. No ifs, ands, or butts. I strongly suggest that you also make an unecrypted copy of these files on a DVD or external drive that you can physically secure and do so on a regular basis. Finally, I can’t really say whether doing this is better or worse than other approaches, but it seems to be a good idea to me.

Installation

I used to use OSXFuse on github to get fuse, but since I’ve started using Brew, I just use that to install encfs, and that installs fuse as a dependency. If you use brew, I do recommend running and managing it from an account other than your primary login, since that will help prevent badness from happening by accident.

To make encrypted folders, you run encfs with a directory for the storage of the encrypted files, and a directory to use as a mount point. For example:

mkdir ~/Crypt
encfs /Users/hays/.Crypt /Users/hays/Crypt

will make an encrypted folder that can be mounted to ~/Crypt as a fuse drive. In a shell, that folder will ~/Crypt, but in Finder, it will appear as OSXFUSE volume 0 (encfs) in that same dir. If you drag that folder to the Finder’s sidebar, it will reappear there each time you mount the encrypted volume.

You may find this a little confusing at first–the key thing to remember is that any files that you place directly in the .Crypt folder will not be encrypted–the encryption occurs when you put files and folder into the mounted FUSE volume, and the encrypted files are stored in the .Crypt folder.

encfs -i 20 /Users/hays/.Crypt /Users/hays/Crypt

You’ll be prompted for a password, eh voilà!

Examples of Uses

I used encfs to store files in cloud storage like Dropbox. This works well, but you need to create your encrypted storage inside the cloud drive, and create the mount point outside of the cloud storage–if you create the mount point inside the cloud folder, when you mount the encrypted folder, the cloud app will see that as a new folder, and will sync those files to the cloud.

Another thing I use encfs for is to securely store my ssh keys. If you use .ssh as a mount point, you can mount a folder containing your encrypted keys. When you mount that folder to .ssh, the keys are available. Dismount, and they are encrypted.

Again, I want to stress that it is important to keep backups of whatever data you encypt in this manner–a while ago I spent about an hour in a cold sweat trying to remember my password for an encypted disk image that contained my tax data.

Creating and Managing Good Passwords

As cracking tools have become more efficient, what counts as a good password has changed. At the time of this writing, 14-16 characters is pretty much the minimum length. And many of the old schemes we’ve used in the past, such as substituting characters or using the first letters of words in a phrase, are so well known that they are no longer secure.

Ideally, you should use a long unique password for each site you login to. The best passwords are a random mix of text, numbers and special characters. But few can remember this kind of password.

Fortunately, you don’t have to, if you use a password vault, like 1Password, Keypass, or LastPass. Some programs support browser plugins that will autolog the passwords. Some vaults can be stored in Dropbox, and LastPass stores them in their cloud. One thing to consider is the nature of the vault. 1Password stores indvidual logins as separate files, and that makes it easy to sync with systems like Dropbox or iCloud. KeypassX, the OSX port of keypass, stores the keys in a monolithic file, so syncing and backups become more complicated as the vault grows.

Ok, so you have a vault. The vault itself requires a password, and that one should be:
Long, as in more than 16 characters at least.
Easy to type, because you’re going to be typing it a lot.
Strong, ideally including letters, numbers, and special characters.

There are a lot of schemes out there, but also a lot of schemers. Pretty much any system one uses have been subject to scrutiny by crackers, so relying on a scheme that produces a very complex password won’t help much, and is likely going to result in a password that is both hard to remember and hard to type. Ars Technica has a good article on the advances crackers have made, and they ran a test in which three crackers tore apart a password list, one got 90% of the 16,000 passwords in a 20 hours using commodity hardware, although in fairness, the encryption they were breaking was MD5, which is not really resistant to brute forces attacks.

But if you look at the lists of passwords cracked–you can find a couple here–you typically see that regardless of complexity, it is pretty rare that one longer than fourteen characters gets cracked. So length is a key factor. And notice that some of the passwords are long and complex. The key thing to get here is that in addition to all of the bible and all of project Gutenburg, crackers use these long lists of known passwords in their dictionary files.

That being said, some of the passwords in such databases are long, and that suggests a troubling thing–that the schemes we use to generate passwords are neither truly random, nor unique. We know that human beings are not good at generating randomness, and, if you think about it, any scheme that you come of with to make passwords has probably been stumbled upon by many many other people. You can’t control how long the people creating those passwords are, so as a scheme is “discovered” by a brute force attack, that pattern winds up in the dictionary files even if no one can understand how it was generated. In a very real sense, any system that you come up, such as choosing a phrase from a song and adding some symbols and numbers is likely not very random. Most importantly, I’m not the smartest person on the planet and I don’t spend all my time scheming, so any scheme I can come up with has likely been used by others, and it’s part of the crackers’ job to figure out what scheme I’ve chosen. I don’t want to bet my security on me being more clever than the professionals.

Kerckhoffs’s Principle is apropos here: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”

Enter Dice Ware

So we need an approach to passwords based on a system that produces good passwords that are very difficult to break even when the scheme is known to the cracker, but easy to remember. The logic is pretty simple–if I can generate a random password with 80-100 bits of entropy using a system that is well known, I’m more secure than if I use an obscure scheme or a pattern that I generate.

You may have seen the XKCD cartoon about diceware. The short version is that if you randomly choose 5-6 words, you have a pass phrase that is relatively easy to remember, and more secure than 9-10 random characters. The key is the words must be random–phrases that make sense are easier to crack. For example, “bible ff few clout infra” has 83-95 bits of entropy, whereas “Xxthr{3glxg8” has 60-75 bits of entropy. And the pad will allow the password to be accept on most any system.

Tyler Atkins has a web based diceware generator you can use to play with the notion of dice ware. There’s also a link there to his password strength tester. Dropbox has a good blog entry on passwords and a good strength checker. These are handy tools to use to test passwords to see how resistant they are to programs like John the Ripper.

But you can also do riffs on dice ware, by including a pad of random numbers, capital letters, and special characters. For example, “folk patch ps final” has about 60 bits of entropy, but with a four character pad, we can get “folk patch ps N0~^ final” with about 90 bits of entropy. 90 bits is very good for a password these days.

And the really good news? If you’re using a vault, you don’t have to remember all that many passwords. You’ll need passwords for your vault, and your workstation login, and a couple of other things (like an encrypted key to store clear text backups of your vault’s database), but you really can bring it down to just a handful that you have to remember, and that means you’re that much more secure.