You wouldn’t jump out of an airplane without a reserve parachute, would you?
The odds are very high that you won’t need it, and many skydivers go for years without even coming close to pulling the ripcord on their lifesaving spare.
But when you need it, you REALLY need it.
The situation is the same with computer backups.
But whereas most skydivers wouldn’t jump without a recently inspected reserve chute, way too many of us go for months or years without making a backup of our critical data.
Some never do.
And I’ve grown to suspect that nomads are both especially at risk, and especially slack about this critical chore.
If you live any part of your life online, it will chill you to the bone.
In summary, some malicious hackers used a shockingly easy and simple trick to take over first Mat’s Amazon.com account and then through that his Apple iTunes account, and then through that his Google and Twitter accounts. They then deleted his Gmail (erasing EIGHT years of his email archives), and then used Apple’s “Find My Phone” and “Find My Mac” remote wipe feature to in a matter of minutes completely and irreversibly erase his iPhone, iPad, and his laptop.
Among many other things, his laptop contained the only copies of the pictures of the first year of his new daughter’s life.
Irreplaceable, and erased in a moment.
And he didn’t have a backup.
As a senior editor at Wired Magazine, Mat will be the first to admit that he of all people should have known better.
But it is so easy to grow lazy, or complacent.
We all think – it can’t happen to me. What are the odds of a hard drive crash? Hackers? A nasty virus? User error? Sabotage? Theft? A spilled drink? A desk-side window left open in the rain? A cat walking on the keyboard and deleting a key directory? (Kiki did this recently!)
Kiki hard at work, deleting our files…
When you start to actually think about all the ways that there are to lose precious priceless data… the odds are actually pretty darn high that someday, sooner or later, we will all face a major tech catastrophe.
It’s not a matter IF your hard drive fails, it’s a matter of WHEN.
And hacking has gotten so automated and easy that almost every week another major site is in the news with a new huge security hole exposed and exploited.
Do you have backups? Do you have a plan for handling a catastrophe? Are you ready for the worst? Are you sure?
Backup Tips for Travelers
Here are some of our tips for keeping your bits secure while living on the road:
Turn on automatic backups – Before you do anything else, go buy an external drive and set up “Time Machine” if you have a Mac, or some other automatic daily (or hourly) backup system if you do not.
And remember to keep your backups current. If you last plugged in your backup drive six months ago, that leaves a lot of data and memories at risk.
Be prepared for a LITERAL crash! – This is especially worrisome for us Technomads. Consider, what is your plan if your computer and your backup HD both crash simultaneously – into an oncoming truck?
ioSafe: Like a solid metal brick encasing your data…
Or what if your RV fridge starts a fire and burns everything to the ground – including your backup hard drive? What about if your digital gear backpack gets soaked in an unexpected rain or falls overboard while on a ferry boat? It would make a very bad day even worse to have your computer and your backups and your home all destroyed at once.
One way to help is to armor your backups. We’ve been testing out the ioSafe Rugged Portable, which is waterproof, crushproof, and built like a tank. ioSafe also makes a desktop HD that is fireproof too. Both include forensic data-recovery services as an added bonus, just in case of the worst.
(When the next ioSafe model comes out and they send it to us for testing, they’ve invited us to get creative trying to destroy the current model we have. I aim to run it over with a bus and soak it in diesel, for starters…)
Offsite is a MUST! – Armored backups aren’t enough – what if your computer AND backup drive gets stolen or destroyed in one fell swoop? Insurance may be able to replace the laptop, but it’s not going to replace your data. To recover from this sort of catastrophe, you need to have a backup that is stored far away and safe.
We have backup drives stored with various friends and family members around the country, and when we pass through we update these backups. This way, even if the worst were to happen we’d only lose a few months of data and photos.
Backup to the cloud, when bandwidth allows – There are some highly regarded online backup services like CrashPlan and Mozy that backup all your files to online servers, for a price. But potentially vastly more expensive than the backup service fee is the overage charges if you accidentally try to backup over a capped cellular connection. And even on an unlimited data plan, most mobile internet options would take days/weeks/MONTHS to upload a hard drive full of data, photos and video.
These sorts of solutions are more appropriate for people with fixed locations and reliable fast and truly unlimited network connections. For us nomads with more limited connectivity, we have grown to love and rely on Dropbox (sign up via this link and you get some bonus free storage, and so do we).
Dropbox works by syncing a shared “Dropbox” directory with the cloud, and it also syncs between your computers. Cherie and I keep the projects we are actively working on in Dropbox, knowing that we are always backed up to each other’s laptops and to the cloud server. If we should we experience a catastrophic event, we can buy or borrow any computer and keep on cranking on whatever projects we were in the middle of without even a day’s data loss. Dropbox also makes it easy to set up a shared synced directory to collaborate directly with friends or clients. Dropbox is cross-platform too, supporting Windows and Linux as well as Mac.
The basic Dropbox accounts are free – and we find the premium service totally worth paying for.
That should cover backups…
Reducing your Hack Risk
But how about avoiding getting hacked in the first place? It would be a bad day indeed to have your Gmail wiped out, your Facebook wall filled with scam posts encouraging your friends to wire emergency money overseas, your bank accounts drained, your credit cards maxed, and Amazon shipping garden gnomes in your name to who-knows-where.
It can happen, all too easily.
A little headache and grunt work now to protect yourself could save untold pain and suffering recovering from an attack later.
But in addition to those must-read articles, here are some of our personal favorite tips:
Don’t EVER Re-Use Passwords – Often the first thing hackers do when they take over a site is publish the user names, email addresses, and password files for other hackers to try and exploit.
If you use the same password on multiple sites, within minutes of an attack on one site automated tools could be tracking down and taking over your other accounts to post spam or worse.
The best way to protect yourself is to NEVER EVER EVER use the same password on multiple web sites. Instead, use a tool like 1Password to automatically manage all your passwords, and to generate unique and unguessable passwords like “7y0iCT1QApu|3W_E” for every site you connect to.
Yes, this is a headache, but 1Password makes it relatively easy, and can be set up to sync your passwords between your computers and your mobile devices too. For passwords that you can’t avoid needing to type manually, you can have 1Password generate simpler pronounceable passwords too, like “shymuvyjeg”. With a little time, you might even start to actually remember a password like that.
But whatever you do, don’t use real words that can be found in a dictionary!
Avoid (In)Security Questions – Answers to questions like “What is your mother’s maiden name?” or “What was your high-school mascot?” are often used by sites as part of their password reset procedures. Unfortunately, the answers to these questions are vastly easier to research or guess than almost any password, so this is where a hacker who is after you will often start.
In truth (just like the TSA) these sort of questions do more to give an illusion of security than to actually make things any safer online.
The only thing worse than a reused password for online protection is personal trivia. *ugh*
To thwart these (in)security questions, don’t ever give simple literal answers. If forced to answer these “security” questions, you can create random passwords as answers, or creative non-sensical answers. So you don’t forget, save these somewhere secure – just like a password. And just like a password, do NOT use the same security answers on multiple sites!
Just this week World-of-Warcraft and Diablo developer Blizzard disclosed that they have been hacked and the data for millions of users had been taken. The way their passwords were encrypted it is unlikely that hackers will be able to recover people’s passwords, but Blizzard’s entire database of security questions and answers has been taken as well. Everyone who used those same questions and answers on other sites is now horribly at risk!
Some sites let you create custom security questions instead of forcing you to pick pre-selected ones, and this is your chance to have a little fun.
(Read this link for many more hilarious examples!) Q: Are you really who you say you are?
A: No, I am a Russian identity thief!
Don’t Lose Your Password Archive! – Make sure that you can get at your password archive so that you don’t end up locked out of all your sites in the event of a serious crash. 1Password supports archiving an encrypted copy of its database to Dropbox, so even if our computers are destroyed we can still get at a copy of our master password file. Keeping your encrypted archive on a USB key or even printed and stored in a safe deposit box might also be a good idea.
They Are Listening In – If it doesn’t say HTTPS (secure HTTP) in the URL (or on some browsers, show a locked padlock), your web surfing connection in that window is not secure and you should assume that anyone on your local network can listen in, see what you are doing, and steal any passwords that you type.
You may think that you are safe on WiFi in a small-town coffee shop, but what if one of the other patron’s has been hacked and his or her computer is now automatically eavesdropping and reporting new potential targets? This is surprisingly common – older generation Windows computers are notorious for being infested with spyware.
If you see “https”, it would take the full power of the NSA to listen in on your web surfing. If you don’t, it is trivial for any two-bit hacker on the same WiFi network to see everything you are doing.
All banks (and now even sites like Facebook and Twitter) use HTTPS to protect you and make surfing even on public WiFi safe. But hardly any smaller sites like blogs or forums bother with HTTPS, and if you use the same account names and passwords on the insecure sites you are opening up the more secure sites for easy hacking too.
Don’t Trust Big Names to be Smart / Secure – Security is a science, and when done properly data can be encrypted in such a way that it would mathematically take thousands of years for even the world’s fastest super computers to crack.
Unfortunately, all too many websites fail to take security seriously – allowing for hackers to take advantage of them. Even big names like LinkedIn make amateur mistakes, letting hackers easily steal 8 million passwords earlier this year. eHarmony also had its entire database stolen by the same hacker as well. And last year Sony’s entire Playstation Network was compromised – with more than 70 million accounts exposed! Don’t ever assume that a big bank or popular website is actually doing security right. Better to always be vigilant.
Be aware of Phishing ScamsClues it might not be real… – Don’t fall prey to phishing – which are false messages sent to you intended to trick you into giving up valuable personal information, such as bank account numbers, addresses, social security numbers, passwords and more. More than likely, you don’t have a long lost relative who just passed away in Nigeria who left you 1.25 million Euros, and you just have to provide your account number. You didn’t just win an internet lottery. PayPal likely hasn’t locked your account (especially when addressed to ‘Dear Costmuer’). You don’t have an account at a bank you never heard of that needs you to confirm your SSN right now!
Always hover over the link (or force a preview) the e-mail is wanting you to click on to display the actual URL – if it looks at all phishy, it probably is. For instance a real e-mail from Paypal will direct you to www.paypal.com, but a phishing scam might be more like paypal.phishingscamsitesrus.com.ru. If the e-mail appears to be coming from a business you have connections with and might be real, type the normal URL directly into your browser and log in yourself to see if there’s a warning message – or call customer service.
Lock Down Your Email! – Do not be tempted to keep a simple password on your email accounts, because hackers know these accounts hold the keys to your entire kingdom. If a hacker gets into your email (whether Gmail, Hotmail, Yahoo Mail, or whatever you use), they can then request “password resets” for other sites (like your bank!), deleting the incoming reset email before you even have a chance to see it.
No matter what you do – keep your email secure. And more than anything – never use the same password for email that you use for ANYTHING else.
Google’s two-step verification is a great way to keep the bad guys out of your Gmail.
Two Factor is a Good Thing – To connect to a site using “Two Factor Authentication” means that not only do you need to know a password, but you have to physically have something in your possession – making it vastly harder for hackers.
One way this works in high security sites is by using a finger-print or retina scanner, but some sites are now supporting authentication via a confirmation SMS sent to your phone. Some banks and brokerages even give out digital dongles that generate a new unique PIN every few seconds that must be entered to log in.
Google is pushing two-factor authentication via phone now, and it is a great and relatively simple way to secure all your Google-connected accounts. Read more here, and follow this illustrated guide to configure your own Google accounts to be vastly more secure than if they were protected with a password alone.
Keep One ‘Disposable’ Password – Dealing with unique passwords for every site, service, and app you log in to is undeniably a pain in the ass. And for some sites, it really isn’t worth the effort to jump through the hoops.
Do you really care if hackers learn how many miles you have logged running with Nike+? Or what events you are tracking in the Olympics? And there are plenty of sites that force you to create an account to log in, even if you never intend to return to them again and will not be giving them any personal or financial information.
For sites where security isn’t a concern, it is actually a good idea to have a single easy to remember ‘disposable’ password that you use for quick and simple logging in. Just make sure that you NEVER use this password on any sites where you share any personal information that you wouldn’t want to be stolen and shared with the entire world.
And be careful that a site that you consider ‘disposable’ doesn’t eventually become critical. For example, a lot of people used to consider Facebook a toy, and now it is central to many lives. But how many people have changed their passwords first created years ago to now be more secure?
Somedays online it feels like the rocks just don’t stop falling on your head…
Online – Use Credit, Not Debit – Aside from arguments if credit cards are evil or not – they do carry one very beneficial feature. If your credit card number is ever compromised and the attackers manage to run up your credit card bill, all it takes is one phone call to dispute the charges (and probably close the account) and you are most likely in the clear.
There are a ton of consumer protection laws limiting your risk, and most credit card companies will go overboard to insulate you. On the other hand, if you have been using a debit card online and the hacker gets at it, in a matter of moments your entire linked account could be drained – and even if you do manage to get your funds returned, it might take weeks. This could seriously derail your travels, or heck, your next grocery outing. Using a debit card online just isn’t worth the risk unless you are extremely careful to limit the funds available in the linked accounts.
But if you are using credit – pay it off monthly. Debt sucks! If you don’t want an actual credit account for whatever reason, consider a refillable card to use for your online shopping instead. You can pick one up at places like Wal*Mart, fill it with some cash and use that.
Stay Up To Date! – Every new operating system and browser release gets substantially more secure than the ones that came before it. Windows 7 and Mac OS X Lion (and now Mountain Lion) are both pretty hardened against most attacks, particularly if you keep them up to date with security patches.
On the other hand – if you are still running Windows XP or surfing with IE6, you might as well be wearing a big neon sign that says “Hack Me Now!”
If you are still using XP, my best suggestion to you is to make sure your backups are current, carefully disconnect your computer from the Internet, and then smash your old machine with a sledgehammer.
”Nuke the entire site from orbit–it’s the only way to be sure.“
The Internet is a scary place, and it is getting scarier by the day. Now even governments are starting to engage in stealth cyberwarfare!
Even amateur hacker tools have gotten more and more sophisticated – allowing even unskilled online vandals to attempt to hack 100’s of thousands of people an hour. You may think you will never be a target individually, but you can’t hide from a mass attack. These mass attacks feed off of databases of millions of email addresses and passwords, like the ones stolen from LinkedIn earlier this year.
Is all of this a royal pain? Indeed.
Wise advice recently seen on the International Bridge into Canada.
Forget the war on drugs, I’d rather see the government fighting a war on spam and cyber-scum.
But the Internet is too much a part of life to even think of giving up, so all we can do is lock the doors, take reasonable precautions, and hope for the best.
Great article. I have used Roboform for a number of years and now find myself using a Win 7 computer, android phones and an Ipad.
Roboform offers a cross platform solution in the form of Roboform Everywhere. I have also looked at 1Password which offers that as well. The drawback, at least to me is that your passwords are stored in the cloud. With RF I have only used the desktop version over the years and have redundant backups of my system and passwords.
I have accounts with Google Drive and Dropbox but only use them for data that I wouldn’t worry about anyone else seeing.
The problem I have with using Google Drive or Dropbox is it seems the data is not encrypted on their servers, or is it?
Roboform claims the data is stored at a Tier 1 server with armed guards, backup generators and a guarantee of being up and running 99.9% of the time.
The appeal, to me, of 1Password is that you can sync your data manually and without using cloud storage.
I know they say that 256 AES encryption would be difficult to break but really how safe is this.
As I understand it, all data on Google Drive and Dropbox servers is encrypted – but to function Dropbox and Google need their own copies of the keys. It would be a major headline / scandal producing event if either of these companies ever had their master keys stollen and servers hacked – so in general I feel pretty safe with the data I store there.
When 1Password is syncing through DropBox or iCloud, the data being synced is encrypted even further – so even someone hacking into your Dropbox would still need to hack your 1Password passphrase to get any useful data. If you are using a unique long passphrase, that is very unlikely to be possible.
I have never looked at RoboForm, but I imagine it works similarly.
Even with all the security horror stories out lately – AES still seems to be a gold standard algorithm for encryption, and is considered very safe. It is what the government uses after all. Perhaps the NSA has the technology to crack AES, but if your passphrase is secure you are for all intents and purposes safe from even the best funded non-governmental hackers.
You sound like you are already way ahead of 99% of the world population, so I think you should be able to rest easy now even if you do begin to sync through the cloud.
Don’t forget to Let have Kiki in on the Fun to test that Drive See how well it stands up to claws and Static and anything else she can think of!!! :p Since I own 6 cats I am sure she can think of a few things to do to it !!! 😀
What a fabulous article….I am so glad you wrote it…I have been backing up regularly for quite a while…it is all the other stuff you are recommending I have to figure out…I do have drop box but don’t know how to use it…I also have ipassword but haven’t used that yet either… I guess I have my work cut out for me for awhile…hopefully a non techie like me can figure it out… again…thanks for being so generous with your information and sharing it…
I’m confused by your recommendation of Dropbox over CrashPlan, since both upload to the Internet regularly, thus using up data. In fact, CrashPlan can be configured to only upload under certain network conditions, and also disabled completely (as can Dropbox) for uploading.
One plus Dropbox does have over CrashPlan is the files are actual files, unlike CP which is a proprietary backup archive.
I haven’t looked closely at CrashPlan in a while, so maybe things have changed – but I thought that the general use case for CrashPlan is to back up your entire hard drive?
We like DropBox because we can spend the bandwidth backing up only what is in our DropBox folder – and that gives us a lot of explicit control over what gets backed up. We used it for projects that are under active development, and for things we are collaborating on. It also backs up not just to the Cloud, but to each other’s laptops – this way we each have a copy of the full contents of the Dropbox at all times.
I use and love Dropbox as well, for the exact reasons you mentioned above 🙂
But I can’t save everything in my Dropbox account (still a free user for now), and for the per-gigabyte price CrashPlan is much more affordable for backups of stuff I don’t need synced to all computers.
CrashPlan has extremely granular folder hierarchy selection, so you can back up as much or as little as you choose.
The other great thing is being able to choose which network connections will be used for backups. I discovered this after my partial-nomad brother got on CP, and wanted to make sure his MacBook Air wasn’t backup up when he was on his Mi-fi. We found that you can choose down to the specific network when to back up—in other words, you can still back up over wi-fi, but exclude specific networks that you connect to.
I’m not a nomad yet, but my division between Dropbox and Crashplan is to use DB for current/active files, and CP for things that are archived and backed up (locally) that I also want backed up offsite.
Initial backups can indeed take a long time, but you can mail them a physical drive to jumpstart the backup. They charge a fee for doing so I believe.
Side note: thanks for all this superb info on the blog, the tech side of nomading was a big concern for me and you guys have made it seem like a piece of cake!
I’m working on a series for my blog about back up and archiving, so it was cool to read some of your methods and suggestions. I always seem to forget about security though. I really like the one about filling in fake info for “Name of your Elementary School” and things like that. Like many others, Mat Honan’s story has scared me into action.
Wow. So many comments to add here, and I have weak wifi which requires me to sit outside my hotel room on a bench! *grrr*
1 – Offsite backups – not so practical when traveling outside of the U.S. – I guess online services will have to do…
2 – Passwords – The most recent Yahoo hack caused my email address to be posted online with (supposedly) a password I had used on one site. Several other sites contacted me requiring me to change my password. Fortunately I was already using a system which made every site’s password different, but I felt my system was vulnerable. Everything important is now randomly generated by LastPass.
4 – VPN – when traveling, this is critical for us – provides security when using 3rd party wifi, plus provides a U.S.-based IP for sites which require it
5 – Two-factor authentication – my old cell phone # is ported to Google Voice, and is therefore impractical (and disallowed) for this – not sure what to do here exactly – Also, Bruce Schneier wrote about it here http://www.schneier.com/blog/archives/2012/02/the_failure_of_2.html
1 – Offsite backups are still hugely important when traveling outside the US, perhaps even more so. I know international nomads who mail memory cards full of critical files or even encrypted HD’s home every month or so. The risk of one stolen backpack losing “everything” is too great. But of course, as you mentioned – online backups can be useful too.
2 – Though I’ve not used it, I’ve heard good things about LastPass.
3 – There are certainly known weaknesses in some deployed implementations of HTTPS, but I have never heard of any demonstrated hack (other than rumored NSA capabilities) that would allow an ease-dropper to listen in live to HTTPS traffic. If you are transmitting secrets that an attacker would find worth recording and then spending a month of computer time to decode, you shouldn’t be using a public network in the first place. For 99% of what 99% of people do online, HTTPS should be “good enough” to feel safe.
4 – This is an excellent tip! For those reading along, a VPN service encrypts all your traffic from your device and makes it as if you are connected to the internet from the service’s location, not from wherever you are actually at. I played around with using a VPN to enable streaming Netflix movies while we were in the Virgin Islands. It worked, but for us was more hassle than it was worth.
5 – You can do Google’s two-factor authentication using the Google Authenticator app on any iOS or Android smartphone, so your number doesn’t matter. And yes, there are still theoretical attacks possible, but you are vastly safer with your doors locked. The thieves won’t waste time hacking two-factor protected accounts when there are plenty of easier targets down the street.
1 – I think my main issue with mailing physical drives or memory cards around is the utter hassle of it. Shipping from central America is extremely expensive and not easy to guarantee or insure. Shipping from the States to central America (either to rotate drives or for recovery purposes) is similarly costly. Expect to pay mystery ‘fees’ and do not expect your package to arrive intact necessarily. This is the main reason I have not implemented this particular strategy. TL;DR “too much hassle” 🙂
2 – re: https – my knowledge is very weak in this area, so I’ll defer to you 🙂
4 – VPN – I tried a few different VPN/proxy solutions and most were indeed a hassle. Our current solution uses Tunnelblick (GPL) software which uses OpenVPN. Service provided through FoxyVPN.com – we picked in IP in Dallas. It sits in the OS X menu bar, connects in a couple of clicks. VERY handy, and so far very reliable. $6/mo.
5 – re: 2-factor – I have the Authenticator app on my iPod, but it’s not a phone. I don’t even remember why I downloaded the app to begin with! What I can’t find is, now that I have the app — how do I set up 2-step authentication with Google? It is either hidden or missing on Google’s pages. All of their instructions presume a phone #.
In regards to offsite backups while traveling abroad – only you can make the decision of what’s more of a hassle, and where the risk line is for you. For us, if we were doing extended international travel, we’d simply factor those costs into our cost of affording our chosen lifestyle.
Wowsers. That’s a lotta reading, and I’ll have to come back.
Went over to the first article you mentioned. That was scary.
Backing up my sh*t once a week is a regular household chore. I’d no more forget to do it than change the bedsheets.
I figure clouds are really only meant for rainfall, and so storing files in them is never going to happen.
With the exception of iTunes, which we need as a result of a couple Ipods, we have never drank the “apple juice”. And yes I know, Apples are simply marvellous, but I’ve managed to survive without one up to this point.
My considerably smarter than me nephew (whom I have “loaned” a few thousand bucks over the years) set me up with a neat little thing that he wrote that makes it easy peasy for a dim-wit like me to back up my entire computer. Like he once said, “It’s not a matter of ‘if’ your computer will die, but ‘when’, because it will happen”.
He’ll be doing computer work for me for a long, long time I would think. Well, unless he comes to the house one fine day with a wad of cash. But I don’t see that happening. I’m OK with that. It’s like he’s on “retainer”.
I’m suddenly not that unhappy that I don’t have a cat.
One important tip – especially if you are using any sort of home brew backup system… TEST IT!
Make sure that it is actually running, backing up what you want, and that restores work.
I’ve seen more than a few cases where people thought they had regular backups working, only to go and attempt a restore after a HD crash and then find out that the backup hadn’t completed successfully in months. Or that the backup HD was encrypted, and the password to unlock it was lost in the HD crash – making the backup useless!
Anyway – a fire drill that involves testing a restore is probably smart paranoia at least once or twice a year.
As an IT professional and full-timer, listen to all the above backup and suggestions! “If it only is stored in one place, it doesn’t really exist at all” (and that includes one camper). However, there are two suggestions I’d have for picking passwords: (1) Make them LONG! A sentence with 4-5 words is much safer now-a-days than 10 characters of random letters and numbers, and easier to remember. Most sites are letting passwords be longer than they used to. (2) Use a secret word at the end. I might have passwords “Dropbox stores all my stuff z1y2x3#” and “Facebook has friends and family z1y2x3#”, using the same secret word almost everywhere. Put numbers and symbols in the secret word if the site wants them, but make the rest easy to remember, because of what site you are using. Just some thoughts!
Often a series of words is way better than any short password – but keeping the words random is even better than a sentence. In your example, if a hacker got your full Facebook password, your Dropbox password is no longer super-hard to guess.
Don’t trust the ‘from’ field in an email. Due to the way email is designed, it is trivial for anyone to spoof the header into saying the email is from whatever individual/company they wish.
Don’t count on the URL preview in an email to actually tell you where that link goes. It is too easy to fool unsophisticated users using a variety of methods that the links are legit.
Also, no site should EVER be able to email you or tell you your actual password. If they can, it means they are not ‘hashing’ (encrypting) it, meaning anyone that hacks them can also recover the actual password. Hashing passwords has been a security standard for quite a while now. Sites that have length or character limitations on passwords are a big clue they are not doing this. Incredibly, this still includes some banking institutions.
Great tips – thanks! I remember years ago in the college computer labs having fun spoofing emails to people from various implausible addresses, causing much confusion.
This one tip is especially important:
“Also, no site should EVER be able to email you or tell you your actual password.”
Indeed – if a site can tell you your current password (as opposed to reseting it and giving you a new one) – that is a sure sign that they don’t know what they are doing when it comes to security, and that they are likely wide open to skilled hackers.
For those reading along… A “hash” is a one-way transformation on a password that makes it essentially impossible to recover the original. Sites that properly hash your password never store a copy of it and can thus never recover it – and thus if a hacker gets in they can’t steal your actual password, only the much more difficult to work with hash value.
If the hash is properly “salted” then it is all but useless to hackers. The Linked-In hack was a catastrophe because Linked-In had failed to properly salt its hash.
Sounds like a recipe from a cooking show. But its all just math.
You wouldn’t jump out of an airplane without a reserve parachute, would you?
In summary, some malicious hackers used a shockingly easy and simple trick to take over first Mat’s Amazon.com account and then through that his Apple iTunes account, and then through that his Google and Twitter accounts. They then deleted his Gmail (erasing EIGHT years of his email archives), and then used Apple’s “Find My Phone” and “Find My Mac” remote wipe feature to in a matter of minutes completely and irreversibly erase his iPhone, iPad, and his laptop.
Turn on automatic backups – Before you do anything else, go buy an external drive and set up “Time Machine” if you have a Mac, or some other automatic daily (or hourly) backup system if you do not.
For us nomads with more limited connectivity, we have grown to love and rely on Dropbox (sign up via this link and you get some bonus free storage, and so do we). 
Great article. I have used Roboform for a number of years and now find myself using a Win 7 computer, android phones and an Ipad.
Roboform offers a cross platform solution in the form of Roboform Everywhere. I have also looked at 1Password which offers that as well. The drawback, at least to me is that your passwords are stored in the cloud. With RF I have only used the desktop version over the years and have redundant backups of my system and passwords.
I have accounts with Google Drive and Dropbox but only use them for data that I wouldn’t worry about anyone else seeing.
The problem I have with using Google Drive or Dropbox is it seems the data is not encrypted on their servers, or is it?
Roboform claims the data is stored at a Tier 1 server with armed guards, backup generators and a guarantee of being up and running 99.9% of the time.
The appeal, to me, of 1Password is that you can sync your data manually and without using cloud storage.
I know they say that 256 AES encryption would be difficult to break but really how safe is this.
As I understand it, all data on Google Drive and Dropbox servers is encrypted – but to function Dropbox and Google need their own copies of the keys. It would be a major headline / scandal producing event if either of these companies ever had their master keys stollen and servers hacked – so in general I feel pretty safe with the data I store there.
When 1Password is syncing through DropBox or iCloud, the data being synced is encrypted even further – so even someone hacking into your Dropbox would still need to hack your 1Password passphrase to get any useful data. If you are using a unique long passphrase, that is very unlikely to be possible.
I have never looked at RoboForm, but I imagine it works similarly.
Even with all the security horror stories out lately – AES still seems to be a gold standard algorithm for encryption, and is considered very safe. It is what the government uses after all. Perhaps the NSA has the technology to crack AES, but if your passphrase is secure you are for all intents and purposes safe from even the best funded non-governmental hackers.
You sound like you are already way ahead of 99% of the world population, so I think you should be able to rest easy now even if you do begin to sync through the cloud.
– Chris
Don’t forget to Let have Kiki in on the Fun to test that Drive See how well it stands up to claws and Static and anything else she can think of!!! :p Since I own 6 cats I am sure she can think of a few things to do to it !!! 😀
What a fabulous article….I am so glad you wrote it…I have been backing up regularly for quite a while…it is all the other stuff you are recommending I have to figure out…I do have drop box but don’t know how to use it…I also have ipassword but haven’t used that yet either… I guess I have my work cut out for me for awhile…hopefully a non techie like me can figure it out… again…thanks for being so generous with your information and sharing it…
I’m confused by your recommendation of Dropbox over CrashPlan, since both upload to the Internet regularly, thus using up data. In fact, CrashPlan can be configured to only upload under certain network conditions, and also disabled completely (as can Dropbox) for uploading.
One plus Dropbox does have over CrashPlan is the files are actual files, unlike CP which is a proprietary backup archive.
I haven’t looked closely at CrashPlan in a while, so maybe things have changed – but I thought that the general use case for CrashPlan is to back up your entire hard drive?
We like DropBox because we can spend the bandwidth backing up only what is in our DropBox folder – and that gives us a lot of explicit control over what gets backed up. We used it for projects that are under active development, and for things we are collaborating on. It also backs up not just to the Cloud, but to each other’s laptops – this way we each have a copy of the full contents of the Dropbox at all times.
We’ve found it to be super handy.
I use and love Dropbox as well, for the exact reasons you mentioned above 🙂
But I can’t save everything in my Dropbox account (still a free user for now), and for the per-gigabyte price CrashPlan is much more affordable for backups of stuff I don’t need synced to all computers.
CrashPlan has extremely granular folder hierarchy selection, so you can back up as much or as little as you choose.
The other great thing is being able to choose which network connections will be used for backups. I discovered this after my partial-nomad brother got on CP, and wanted to make sure his MacBook Air wasn’t backup up when he was on his Mi-fi. We found that you can choose down to the specific network when to back up—in other words, you can still back up over wi-fi, but exclude specific networks that you connect to.
I’m not a nomad yet, but my division between Dropbox and Crashplan is to use DB for current/active files, and CP for things that are archived and backed up (locally) that I also want backed up offsite.
Initial backups can indeed take a long time, but you can mail them a physical drive to jumpstart the backup. They charge a fee for doing so I believe.
Side note: thanks for all this superb info on the blog, the tech side of nomading was a big concern for me and you guys have made it seem like a piece of cake!
I’m working on a series for my blog about back up and archiving, so it was cool to read some of your methods and suggestions. I always seem to forget about security though. I really like the one about filling in fake info for “Name of your Elementary School” and things like that. Like many others, Mat Honan’s story has scared me into action.
Wow. So many comments to add here, and I have weak wifi which requires me to sit outside my hotel room on a bench! *grrr*
1 – Offsite backups – not so practical when traveling outside of the U.S. – I guess online services will have to do…
2 – Passwords – The most recent Yahoo hack caused my email address to be posted online with (supposedly) a password I had used on one site. Several other sites contacted me requiring me to change my password. Fortunately I was already using a system which made every site’s password different, but I felt my system was vulnerable. Everything important is now randomly generated by LastPass.
3 – https – NOT so secure – http://midsizeinsider.com/en-us/article/https-not-so-secure-says-trustworthy-in
4 – VPN – when traveling, this is critical for us – provides security when using 3rd party wifi, plus provides a U.S.-based IP for sites which require it
5 – Two-factor authentication – my old cell phone # is ported to Google Voice, and is therefore impractical (and disallowed) for this – not sure what to do here exactly – Also, Bruce Schneier wrote about it here http://www.schneier.com/blog/archives/2012/02/the_failure_of_2.html
Glenn —
Good comments, thanks. A few replies:
1 – Offsite backups are still hugely important when traveling outside the US, perhaps even more so. I know international nomads who mail memory cards full of critical files or even encrypted HD’s home every month or so. The risk of one stolen backpack losing “everything” is too great. But of course, as you mentioned – online backups can be useful too.
2 – Though I’ve not used it, I’ve heard good things about LastPass.
3 – There are certainly known weaknesses in some deployed implementations of HTTPS, but I have never heard of any demonstrated hack (other than rumored NSA capabilities) that would allow an ease-dropper to listen in live to HTTPS traffic. If you are transmitting secrets that an attacker would find worth recording and then spending a month of computer time to decode, you shouldn’t be using a public network in the first place. For 99% of what 99% of people do online, HTTPS should be “good enough” to feel safe.
4 – This is an excellent tip! For those reading along, a VPN service encrypts all your traffic from your device and makes it as if you are connected to the internet from the service’s location, not from wherever you are actually at. I played around with using a VPN to enable streaming Netflix movies while we were in the Virgin Islands. It worked, but for us was more hassle than it was worth.
5 – You can do Google’s two-factor authentication using the Google Authenticator app on any iOS or Android smartphone, so your number doesn’t matter. And yes, there are still theoretical attacks possible, but you are vastly safer with your doors locked. The thieves won’t waste time hacking two-factor protected accounts when there are plenty of easier targets down the street.
1 – I think my main issue with mailing physical drives or memory cards around is the utter hassle of it. Shipping from central America is extremely expensive and not easy to guarantee or insure. Shipping from the States to central America (either to rotate drives or for recovery purposes) is similarly costly. Expect to pay mystery ‘fees’ and do not expect your package to arrive intact necessarily. This is the main reason I have not implemented this particular strategy. TL;DR “too much hassle” 🙂
2 – re: https – my knowledge is very weak in this area, so I’ll defer to you 🙂
4 – VPN – I tried a few different VPN/proxy solutions and most were indeed a hassle. Our current solution uses Tunnelblick (GPL) software which uses OpenVPN. Service provided through FoxyVPN.com – we picked in IP in Dallas. It sits in the OS X menu bar, connects in a couple of clicks. VERY handy, and so far very reliable. $6/mo.
5 – re: 2-factor – I have the Authenticator app on my iPod, but it’s not a phone. I don’t even remember why I downloaded the app to begin with! What I can’t find is, now that I have the app — how do I set up 2-step authentication with Google? It is either hidden or missing on Google’s pages. All of their instructions presume a phone #.
In regards to offsite backups while traveling abroad – only you can make the decision of what’s more of a hassle, and where the risk line is for you. For us, if we were doing extended international travel, we’d simply factor those costs into our cost of affording our chosen lifestyle.
Great article! The one other back-up I do is a hard copy to disc (CDs/DVDs). I like having both soft and hard copies for my photos.
Nina
Oh hey! You said that.
”It’s not a matter of if’ your computer will die, but when’, because it will happen.”
Sorry. My bad. My memory is good. Just really short.
Wowsers. That’s a lotta reading, and I’ll have to come back.
Went over to the first article you mentioned. That was scary.
Backing up my sh*t once a week is a regular household chore. I’d no more forget to do it than change the bedsheets.
I figure clouds are really only meant for rainfall, and so storing files in them is never going to happen.
With the exception of iTunes, which we need as a result of a couple Ipods, we have never drank the “apple juice”. And yes I know, Apples are simply marvellous, but I’ve managed to survive without one up to this point.
My considerably smarter than me nephew (whom I have “loaned” a few thousand bucks over the years) set me up with a neat little thing that he wrote that makes it easy peasy for a dim-wit like me to back up my entire computer. Like he once said, “It’s not a matter of ‘if’ your computer will die, but ‘when’, because it will happen”.
He’ll be doing computer work for me for a long, long time I would think. Well, unless he comes to the house one fine day with a wad of cash. But I don’t see that happening. I’m OK with that. It’s like he’s on “retainer”.
I’m suddenly not that unhappy that I don’t have a cat.
Thanks for the write-up.
Good stuff.
One important tip – especially if you are using any sort of home brew backup system… TEST IT!
Make sure that it is actually running, backing up what you want, and that restores work.
I’ve seen more than a few cases where people thought they had regular backups working, only to go and attempt a restore after a HD crash and then find out that the backup hadn’t completed successfully in months. Or that the backup HD was encrypted, and the password to unlock it was lost in the HD crash – making the backup useless!
Anyway – a fire drill that involves testing a restore is probably smart paranoia at least once or twice a year.
As an IT professional and full-timer, listen to all the above backup and suggestions! “If it only is stored in one place, it doesn’t really exist at all” (and that includes one camper). However, there are two suggestions I’d have for picking passwords: (1) Make them LONG! A sentence with 4-5 words is much safer now-a-days than 10 characters of random letters and numbers, and easier to remember. Most sites are letting passwords be longer than they used to. (2) Use a secret word at the end. I might have passwords “Dropbox stores all my stuff z1y2x3#” and “Facebook has friends and family z1y2x3#”, using the same secret word almost everywhere. Put numbers and symbols in the secret word if the site wants them, but make the rest easy to remember, because of what site you are using. Just some thoughts!
Great tips Scott.
Often a series of words is way better than any short password – but keeping the words random is even better than a sentence. In your example, if a hacker got your full Facebook password, your Dropbox password is no longer super-hard to guess.
Check out the xkcd password generator for a very clever idea on how to create hard to guess but easy to remember passwords: http://preshing.com/20110811/xkcd-password-generator
Don’t trust the ‘from’ field in an email. Due to the way email is designed, it is trivial for anyone to spoof the header into saying the email is from whatever individual/company they wish.
Don’t count on the URL preview in an email to actually tell you where that link goes. It is too easy to fool unsophisticated users using a variety of methods that the links are legit.
Also, no site should EVER be able to email you or tell you your actual password. If they can, it means they are not ‘hashing’ (encrypting) it, meaning anyone that hacks them can also recover the actual password. Hashing passwords has been a security standard for quite a while now. Sites that have length or character limitations on passwords are a big clue they are not doing this. Incredibly, this still includes some banking institutions.
Great tips – thanks! I remember years ago in the college computer labs having fun spoofing emails to people from various implausible addresses, causing much confusion.
This one tip is especially important:
“Also, no site should EVER be able to email you or tell you your actual password.”
Indeed – if a site can tell you your current password (as opposed to reseting it and giving you a new one) – that is a sure sign that they don’t know what they are doing when it comes to security, and that they are likely wide open to skilled hackers.
For those reading along… A “hash” is a one-way transformation on a password that makes it essentially impossible to recover the original. Sites that properly hash your password never store a copy of it and can thus never recover it – and thus if a hacker gets in they can’t steal your actual password, only the much more difficult to work with hash value.
If the hash is properly “salted” then it is all but useless to hackers. The Linked-In hack was a catastrophe because Linked-In had failed to properly salt its hash.
Sounds like a recipe from a cooking show. But its all just math.
Crypto math is super geeky, and very very cool.