Pragmattica

March 29, 2009

Protect Your Important Data with Dropbox

Filed under: Linux — bnsmith @ 9:47 am

An Easy Backup Solution for Ubuntu
I bet you think that you already know how to easily backup your files: just pop in a blank CD-R, pick the files to backup, burn it and you’re done. But suppose that I actually suggested that you try this backup method, would you do it? Maybe you would get around to it next week, or next month, or next year; just as soon as you got a bit of free time.

Sorry, folks, but that’s not good enough. In order to protect your important data, you need a strategy that’s automated. One that works no matter how busy you get–because the times when you’re busiest are the times that you need those backups the most.

I’ve given this problem some thought over the years, and the best solution that I know of is an online service called Dropbox. The basic idea is that the Dropbox program creates a folder on your hard drive, and anything that you copy into that folder is backed up online.

Why Dropbox?
The following five points were the main factors in my decision to select Dropbox as my primary backup solution.

  1. Dropbox is free. A Dropbox account won’t cost you a cent, and the founders have promised to keep the lowest tier of service free forever. Someday they may be bought out by a larger company and things could change, but for the foreseeable future, their service is totally free of cost, and even free of ads.
  2. Dropbox is fully automated. It runs in the background and constantly watches your Dropbox folder. Any time you copy a new file into that folder or modify an existing file, Dropbox will detect the change and upload the parts of the file that have changed. With text documents, it usually completes the backup operation within seconds of clicking the “Save” button.
  3. All your files are available through a convenient web-based interface. If you’re away from your main computer, you can still log in to the Dropbox web-site and download any of the files that you keep in your Dropbox folder.
  4. When you make changes to your files, Dropbox actually keeps the older versions. I imagine that most users probably won’t use this feature often, if at all. However, under the right circumstances, it could save you from a potentially costly mistake.
  5. Have Dropbox installed on multiple machines, and it will keep a fully synchronized copy on both! Given this fact, the right setup would reduce the amount that you would need to trust the people who run Dropbox. Suppose that you have a work computer and a home computer. If you have Dropbox installed on both computers, and save a file in your Dropbox folder on your work computer, it should be copied up to the Dropbox servers and then back down to your home computer in a few seconds. This means that you would always have a copy of your important files saved on a computer that you own and control.

It Sounds Too Good to be True!
Dropbox is not without its faults, so I suggest that you read the following carefully before making a decision.

  1. The free service only allows you to keep 2 GB of data backed up on the Dropbox servers. If you are willing to spend US$99 per year, then you can increase this limit to 50 GB. Still, if your passion is making movies, for example, even this might not be enough.
  2. Using this service requires trusting the employees of Dropbox. When you copy a file into your Dropbox, you are trusting that they will keep the file safe, secure and private, not just now, but forever after. Who knows what might change in 50 years? Perhaps the future owners of Dropbox will change to a blackmail-oriented business model and threaten to publicly release your files unless you pay them an exorbitant yearly fee. For this reason, I don’t recommend using Dropbox to backup anything that is so sensitive that its release would be life-destroying (at least, not without additional protection). This means that Dropbox is absolutely not the right place to keep the passwords for your bank accounts. I’m not trying to say that you can never keep anything even remotely private in your Dropbox, just that you need to consider the risks. Imagine, for a moment, that you’re writing a novel. If you manually backup your novel once per week, then a hard-drive crash could lead to the loss of several days worth of work. This would then necessitate the motivation-destroying process of rewriting thousands of words over again, which might easily doom the entire novel. On the other hand, if you keep automatic backups of the novel with Dropbox, you face the slight possibility of your novel’s incomplete draft being published on the Internet, likely through some undetected security flaw being exploited by a hacker. As you can see, both options have risks associated with them. For each file that you consider putting into your Dropbox, you must weigh the risk of losing that file due to the lack of an adequate backup solution verses the risk of that file being exposed. Unfortunately, this is a difficult choice to make, and there is nothing more that I can say to help you choose. It’s possible to decrease the likelihood of your data being exposed by encrypting it before placing it in your Dropbox, but this is less convenient.
  3. The Dropbox service is entirely Internet-based. Files are only backed-up when you are connected to the Internet. If you are planning on travelling to a country where Internet access will be sporadic or unavailable, you will need to come up with an alternate backup strategy.
  4. Dropbox includes a feature that allows files to be shared publicly and made accessible to anyone on the Internet via a special web-site address. To share a file, simply place it into the “public” folder within your Dropbox. A feature like this could indeed be helpful, but I recommend staying away from it. The Dropbox “Terms and Conditions” describe the licensing implications of placing any file into the “public” folder, and their chosen licensing conditions may not meet your needs. If you wish to share your photographs, for example, it is probably better to do it through some other venue where you are in control of the exact license that your photographs are shared under.
  5. Dropbox doesn’t currently include a feature allowing the synchronization of any files or folders outside of the main Dropbox folder. Actually, there is a way to do this, but it requires some technical knowledge. I will explore this topic in a later post.

Installing Dropbox
Now that you know the pros and cons of this backup strategy, if you still wish to try it, just follow these instructions:

01_website2

  • Click the big “Download Dropbox” button

02_download1

  • It should take you to the download page for Linux; click the link for your version of Ubuntu and your processor architecture (either regular x86 or 64-bit x86)
  • Save the file to your Desktop
  • Double-click the file on your Desktop; the “Package Installer” program should open
  • Click the “Install Package” button; enter your password
  • Log out and then log back in
  • You should now see the Dropbox icon in the top-right

03_desktop1

  • Left-click the Dropbox icon to start the setup wizard

04_setup1

  • Go through the wizard to set up a new Dropbox account
  • Once the wizard is complete, you should be able to go to Places -> Home Folder and see your new Dropbox folder

05_folder1

Now, just keep the files that you want to backup in your Dropbox folder. You can edit them and move them around as much as you want. Dropbox won’t miss a beat. If you have any questions about Dropbox or suggestions for a better backup solution, please leave a comment.

Advertisements

March 19, 2009

What the Designers of Bank Vaults Should Learn from the Field of Computer Security

Filed under: Uncategorized — bnsmith @ 3:51 pm

I recently read this Wired article about a diamond heist that took place a few years ago. It’s a good read; I suggest you check it out.

Anyway, the article gives an excellent description of each of the security measures that the vault’s owners put in place, as well as the methods that the crooks used to circumvent the each measure. While reading, I continually marvelled at the ingenuity with which the thieves circumvented each system, which is, I suppose, the point of the article, and why it makes such great reading for geeks like myself. At the same time, I couldn’t help but feel a little uneasy about the approach taken by the owners of the building to secure their vault. It seemed like a shotgun approach: take one of every kind of sensor and locking mechanism available and stick it in their somewhere, and then keep the final resulting system secret, to make it more difficult for thieves to figure out which circumvention methods would be necessary to breach the vault.

In the realm of computers, there is a name for this strategy: security through obscurity. That got me thinking, is there a better way to secure physical property? I think that at this point, most knowledgeable computer people have given up on security through obscurity, and now recognize the importance of proper security. But physical security is a very different beast than computer security, isn’t it? I mean, if the current state of the art in vault-making is just security through obscurity, then what would proper security look like?

One of the primary principles of computer security is that it is open. Nothing is hidden or secret about encryption algorithms. The only secret is the secret key that a particular person uses to encrypt their data. As long as an attacker doesn’t know that secret key, their knowledge about the rest of the encryption algorithm doesn’t help them a bit. Would it be possible to do the same thing with a vault? Could you make a vault whose blueprints were completely open and available to anyone, but that was still secure, as long as the combination was unknown?

I thought about this question for a while, and it seemed to me that it should be possible, but no answer was forthcoming. The central problem is this: you can keep the control system for opening and closing the vault inside the vault itself, to protect it from tampering, but you still need some way to communicate with the control system in order to cause it to open the vault’s door. For example, if the control system inside the vault will only open the door for a particular numeric code, then you would need some kind of keypad on the outside of the vault, so that the vault’s owner could enter the code when they wished to enter. Then you would need some kind of connection between the keypad and the control system. The most obvious communication channel would be a simple wire, but then you would need to drill a hole through the vault’s outer wall for the wire to pass through. This hole then becomes a vulnerability. The attackers could rip off the keypad, pull out the wire and then snake a little endoscope-like robot through the hole to monkey with the control system directly. There are little additions that could be made to this system, but none that fully remove the vulnerability. If you make the hole through the vault wavy rather than straight, for example, then the little robot would have more difficulty snaking through, but a more flexible version of the robot could be built. Measures could be adopted to prevent the keypad from being ripped off, but they could all be circumvented by opening and hacking the keypad itself, which the attackers would have relatively easy access to.

If the vault’s walls were constructed of metal thick enough to withstand many hours of drilling, then it probably wouldn’t be possible to use any kind of wireless radio signal to communicate with the control system either. This was the thought that finally led me to the answer that I was looking for. If the vault’s walls were made of metal, then perhaps the walls themselves could conduct electricity well enough to allow a signal to be transmitted through.

Imagine this: a vault cast as a single piece of hardened metal, with walls several feet thick, able to withstand three days of non-stop drilling. The vault’s single opening would be protected by a door of the same thickness as the rest of the vault. The hinges for the door would attach on the inside of the vault. From the outside, the vault might appear as though it is just a solid block of metal, with only the thinnest seam visible where the door joins the rest of the structure. Also inside the vault would be the computer control system, perhaps powered by radioisotope battery. The computer would have paddles touching the outer wall that would be able to detect if the wall was conducting and electrical charge. If the computer detected the right pattern of on-off charges (communicating the secret key in binary), then it would open the door. To open the vault, the owner would roll some device up to the side of the vault, pressing paddles up against the vault’s walls. They would then enter their code, by a keypad or some other means, and it would be transmitted through the vault’s walls to the control system.

All that would remain would be the “brute-force” attack: drilling through the wall. Of course, there could still be some subtle vulnerability, but if the plans were published for review by the security community, that would definitely decrease the likelihood of such a thing. If nobody in the security community publishes an exploit for the vault over the course of, say, 50 years, then I think it would be safe to say that the chances of discovering a vulnerability in the next 50 years would be vanishingly small.

There are some possible problems with this. For instance, I don’t know how much electricity would be needed to generate a signal that could reach into the vault. Perhaps the owner would be risking electrocution every time they tried to open the door. Perhaps the vault would need to sit on insulated pillars, because of the electrical charges involved. I am not a vault designer (IANAVD), but it seems to me that something like this could be built.

Perhaps what I’m describing has already been invented, though a quick Google search didn’t turn up anything. If there’s anyone out there who knows anything about bank vaults and physical security, I’d love to hear what you think.

Create a free website or blog at WordPress.com.