Insights For Success

Strategy, Innovation, Leadership and Security

Dropbox

Google One finally available to all US customers

GeneralEdward KiledjianComment
Google_One.PNG

I first wrote about Google One in May 2018, when it was still shrouded in secrecy.  The new storage program with improved storage capacities was an invitation-only program until today (for US residents anyway).

Per the original (Google Drive) model, storage is shared across all of the Google properties you use (GMAIL, Photos stored in full resolution, Drive, etc.)

  • 100 GB for $1.99
  • 200 GB for $2.99 (New)
  • 2 TB for $9.99 (2TB for the price of 1TB on the old plan)
  • 10 TB for $99.99
  • 20 TB for $199.99
  • 30 TB for $299.99
Google_One_2.PNG

If you use the Google Family sharing program (not available to Google Apps accounts, unfortunately), you can share your Google One storage with up to 5 family members. In addition to storage, Google is offering Google Play credit to Google One subscribers and promises to add even more benefits (24x7 support is now also included).

Many still see the Google One page as invitation only but expect this to change shortly. Rolling this new program out to its millions of customers is likely being undertaken in stages.

As a Canadian, I anxiously await any indication about when it will open for us.

Review of the free Mozilla Send service

GeneralEdward KiledjianComment
lett.jpg

As a citizen of the digital world, you probably transfer large files daily. Sure you could use Google Drive, Dropbox or OpenText Core but Mozilla believes there is a better way (Mozilla Send). Mozilla Send is a web experiment that allows you to easily transfer large files up to 1GB in size.

Mozilla Send can be used with any modern browser.

How to use Send

1 - Go to https://send.firefox.com/

send1.PNG

2 - Upload a file

send2.PNG

3 - Decide how many downloads you want to allow in a 24-hour window. Determine if you want to enable a download password.

4 - send the link to the recipient of the file.

Mozilla Send Security

Mozilla send uses AES-128 (AES-GCM algorithm) to encrypt and authenticate the file. Encryption is performed on the client before the file is uploaded to the Mozilla Send servers. Mozilla Send also uses the Web Cryptography API. This Web Cryptography API is the magic that performs hashing, signature verification, encryption, etc). All the security is performed without requiring any user intervention.

It is important to highlight the fact that anyone that intercepts the URL can download the file. The encryption key is appended to the URL.

Sample URL : https://send.firefox.com/download/2f3eea2e0f/#6kUB9cj4gXgTZWgDXrPEZQ

 

Important security notes:

  • Once 24-hours has elapsed or the maximum number of downloads has been reached, Mozilla Send deletes the file from the server
  • You can manually delete the file using the Delete button. An important note is that the Delete button only shows up on that initial download page. If you think you might need the delete button, keep that original upload confirmation page open. 

Web Experiment

Mozilla send is a Web Experiment and Mozilla is gathering usage statistics to determine if this is something they want to keep as a permanent offering. Right now it is a great example of solid design and engineering.

Best URL shorteners

GeneralEdward Kiledjian4 Comments
UTL_short.jpg

URL shorteners are something you either use a lot or never. Google launched it's own URL shortening service in 2009 with unique (at the time) features like third-party API access, QR code generation, ability to use easily on mobile. 

But Google is retiring this public facing service and replacing it with Firebase Dynamic Links (FDL) accessible by developers only. 

This is not surprising since Twitter retired Deck.ly when it acquired TweetDeck.

If you have links, Google is giving you until March 30, 2019, to figure out what you are going to do (even though you will lose the ability to create new short links on April 13). 

google_short1.PNG

What are the best Goo.gl alternatives?

bitly.PNG

1 - Bit.ly

The first alternative has to be Bit.ly which is one of the most popular URL shortening services on the internet and one of the oldest. You create an account and then generate short links as required (you can also choose a tag to group your URL). 

Bitly allows you to create custom branded short URLs, which is excellent for marketing. 

Owly.PNG

2 - Ow.ly

Hootsuite runs a service called Ow.ly. Ow.ly offers all of the features of Bit.ly but integrates with HootSuite. So if you use Hootsuite to manage your social media presence, this could be the best option for you.

The big difference is that Bit.ly allows you to quickly shorten a link from their main webpage without having to sign-up whereas Ow.ly does not.

rebrandly.PNG

3 - rebrandly.com

Many lists include Firebase from Google but I am omitting it since it is only designed for use by developers in apps (not useful for the average Joe). My last recommendation is Rebrandly.com which offers custom URL shorteners. Many large cloud companies are Rebrandly customers (such as Microsoft, Dropbox, etc).

rebrandly1.PNG

Before you get scared and look away, they offer a free tier that will meet the needs of most users.

Conclusion

A URL shortener is a service that you will rely on for years, and I have presented the companies (services) that look to be the most stable. Remeber that when the service disappears's your links break which could wreak havoc on your social strategy.

OPSEC : Backup Strategy for the Security Conscious

GeneralEdward KiledjianComment
backup_hero.png

RELATED: The best way to protect your data - images, music, documents

Even with all of the technological advancements we have made, backups are usually overlooked by the "average Joe" until something significant occurs (causing a massive shift in paradigm). 

Why backup

Traditionally we backed up our information in case the physical media we used (hard drive, DVD, ZIP Drive cartridge, Bernoulli Box, etc.) had a catastrophic incident. 

Modern headaches that we add to the justification list now include malware and cryptoware data modification, seizure at a border crossing or shutdown of a cloud service. 

When thinking about backups (as a security conscious individual), you are concerned about:

  • Recovering your files in their original format (not some compressed low-quality version of your precious originals)
  • Ensuring that only YOU can access your backed up information 

Know thyself

Before we can discuss how to protect your information, we need to know what and where that information is

Inventorying your information is not as simple as it first appears... Think of everywhere you have stored digital data. 

  • You have one or more email accounts possibly with various providers (Hotmail, Outlook, GMAIL, Yahoo Mail, your ISP, etc)
  • You could have contact information on Google, iCloud, Samsung Contacts, etc
  • You may have documents in Dropbox, Google Drive, Microsoft OneDrive, various 3rd party apps (diaries, note taking apps, etc)
  • You may have information (sometimes even forgotten) on USB keys, SD cards, CD/DVD disks, etc
  • This blog has information (articles) going back 7+ years

You get the picture. What first seems like a basic easy to answer question could quickly turn into a monstrous inventory activity. 

Once you know what you have, you then need to figure out which of these sources is the "master" copy. It is not uncommon for people to knowingly or unknowingly load duplicate information across multiple different storage mediums. This of the master as the version that you are likely to keep the most up to date. 

As an example, I recently did a photo duplicate cleanup and realized 15% of my total 1.5TB photo storage was duplicate files I had accumulated over the years. 

RELATED: OPSEC - How to securely delete files

It's time to strategize

In a previous article, I talked about the 3-2-1 backup strategy. The exact entry from my previous article was:

This is a simple way to remember the right way to backup and protect your data. 

  • You should always have 3 copies of your important data. This means one primary (aka the one you use on a daily basis) and 2 copies as backups.
  • You should always have your backups on 2 different types of media (one of your backups can be to an external hard disk while the other one should be to another type of media like DVD disk or to an online service).
  • You should always store 1 copy of your data to "somewhere else". This is to ensure recoverability in case your house or business experience a natural disaster. Now in most cases, this can be one of the popular online backup services or it can simply be you manually storing the media in another location like your office, a bank vault or leaving it in a friends house. To be extra careful, it is recommended to built-in some distance between you and the offsite backup in case a natural disaster eats a good part of your city. 

The reason we create the information inventory in the previous step is so that you can also backup your application datasets. As an example, if you use Google contacts, maybe export the file monthly in CSV format and make sure it is backed up (don't rely on the goodwill of the provider since they always cap their liability in the event of a catastrophic incident). If you use a journaling application, maybe export your entries in PDF and back that up. If you have pictures sitting on your smartphone, make sure a copy is taken and added to your backup strategy (Google Photos is good but it stored an "optimized" version which is not original). 

People often forget to back up basic information like their emails. To do this, you may need to install a "fat" email client on your computer and pull all the emails (or copies of them) from your mail provider then backup the local program database. Google isn't going away but there have been countless tales of users "losing" access to their accounts for months because Google made an arbitrary decision. Unless you are running your own infrastructure, assume the provider can stop your service and hijack your data at any time. 

A couple of years ago, I spent weeks scanning all my paper documents so that I could have digital easy to move, easy to backup versions. You will likely have to do the same.

Where to store your backups

Back to my 3-2-1 backup model, you should have 2 copies of the data you physically control and one up in the heavens we call "the cloud".

The size of your backup will dictate what kind of physical media you store it on. When backups were small, many users could get away with storing them on CD/DVD/Tape drives but these aren't practical for most modern users.

Most of you will likely store your local copies on some type of large local storage medium such as a USB key and/or hard-drive. If possible, store your local copies on 2 different mediums (USB key AND hard drive) or Spinning hard drive and SSD drives. 

You need one copy in the cloud. Local copies are great because you can restore access almost instantly, but if a major incident occurs, you may lose both of your physical copies. That is when your backup of last resort comes in (aka cloud backup). Remember to protect your cloud backups. You can do this by pre-encrypting the information before uploading it (which works if your backup is small and you are uploading to a service like Google Drive, Microsoft OneDrive or Dropbox). The other option is to use a backup service that lets you hold on to the encryption/decryption keys like Carbonite and Backblaze.

Make sure your backup provider has version control enabled. This means they store multiple versions of files. This is useful if you are infected with cryptolocker like malware that encrypts your files, you can go back to a version pre-encryption. This is also useful if you delete a file by mistake and want to go back in time and bring it back.

It's a process

Once you figure out what your backup strategy will be, you need to ensure it is "run" regularly. Nothing is worse than having a plan and then losing six months of data because you forgot to backup. Most cloud services offer near-line backups which is a nice set it and forget it model. 

You will have to ensure your local copies are regularly updated also. On my mac, I use the built-in and free RSYNC command in the terminal to synchronize via a scheduled task. There are also a tone of reasonably priced on device backup apps (if you don't want to fiddle with the terminal). These are examples but not endorsements:

Review of SpiderOak encrypted online storage

GeneralEdward KiledjianComment

Right or wrong, Edward Snowden has become the poster child for online privacy. He has been adamant that anyone interested in true online security should stay away from the name brand online services : Dropbox, Facebook, Google, etc.

Trust No One Security

Before we talk about SpiderOak, this is a good time to write about TNO (Trust No One Security model). This is a philosophy that dictates that anytime security is needed, strong encryption must be applied and the keys to that encryption must be kept in the hands of the user. 

As an example, anytime you conduct online transactions with your bank, you connection is encrypted using end-to-end encryption (TLS) but the keys are held by the bank and created by a certificate authority. Either of those 2 can therefore intercept and decrypt the traffic if they have malicious intent. 

In the TNO model, the provider does not hold the keys to the kingdom and cannot therefore decrypt or access the data in its native format. 

Anytime a provider has the capability of resetting your password, it means it is NOT TNO and it means the provider can access your data. If they can access your data, that means a hacker may also be able to compromise their systems and access your data.

What is SpiderOak?

Unless you are a techie or a security person, you probably haven't heard about SpiderOak. Short of rolling your own cloud service, SpiderOak is the most secure commercially available TNO cloud service around.

The key to the magical security they provide is that your client encrypts all of the data on your computer before being sent through the security hostile internet to SpiderOak. They cannot see the content and if you love you password (aka encryption key), you have to create a new account and restart from scratch.

So you get Dropbox, Google Drive and Microsoft OneDrive like features, without having to trust the provider. 

Why is TNO important?

Governments are becoming very hostile towards individual privacy. The Snowden leaks have shown that the secret FISA courts allow law enforcement to compel the turnover of user data without having the ability to notify them. With most cloud storage companies, this means they (or a hacker) can gain access to your data and then do with it whatever they want.

With SpiderOak's encryption model, they can turn over your encrypted data but they do not hold the decryption keys. The encryption is strong enough to make forced automated decryption unpractical. This means they would have to secure a court order and force you to hand over the decryption keys.

If a hacker does compromise the SpiderOak servers, the data is once again encrypted and therefore unusable by these bad actors. 

It also means they are not and cannot use your data to profile you. 

SpiderOak features

So you are convinced they offer the kind of security you want. What about features you say.

First and foremost, they offer automatic (on change) backups. This is a set and forget model that works in the background.  There is no file size limit. There is no file type restrictions. No bandwidth control or throttling on their end (some providers slow down your connection if you try backing up large amounts of files to protect the responsiveness of their service for their entire user population). 

It can backup mapped (external USB connected) drives. 

Any issues with SpiderOak?

Files are encrypted on your device and SpiderOak cannot access them unencrypted so they are unable to offer offline file delivery (sending you a hard drive with your files). 

Anytime my computer is disconnected for a while, Backblaze sends me alerts notifying me it hasn't been able to backup my files in XX days. SpiderOak has no such notification mechanism. They could implement this even with the TNO model.

During my testing, I simulated an unreliable WIFI connection to see how the client would react and eventually it hung. Even when the connection became stable and on for 8+ hours, the client stopped backing up. Rebooting didn't help. I was forced to uninstall the client, reinstall it and create a completely new backup set. This was a bit annoying. The doubly annoying issue was that support is only available through email. Support seems to be available during standard north american business hours and usually response takes 5-8 hours.

Another issue is that although they offer mobile clients (IOS and Android), those clients are read-only (aka you can't upload content). SpiderOak did say they are working to add this functionality but they didn't provide any timeline. "Currently, you are unable to upload documents using the Mobile Application. We are working on including this feature in a future release." (mobile info)

There is no way to identify a connection as "metered" and tell it not to backup using that connection (like a pay per use WIFI LTE hotspot).

Not a technical issue but the pricing is a bit more expensive than I would have hoped. I am willing to pay more for security but wish they offered more storage with each paid tier. 1TB of storage on Google and Dropbox costs $9.99 a month.

My experience

Overall my experience was good but not great. Because plans are capacity based, you can sync as many devices you want. Because everything is encrypted, there are no file type restrictions. 

Versioning worked well. They seem to use a bit level delta storage function which means you aren't consuming space for the entire file with every version.

SpiderOak provides tones of information about security. 

Files can only be permanently deleted from the original device they were uploaded from. This is a great feature.

You can right click on any folder (or file) in Windows explorer or the Mac finder and ask SpiderOak to back it up. Easy. 

You can download backed up files to any computer via the web interface.

Conclusion

There are small annoying things I would like them to solve but no major show stoppers. My biggest gripe is not being able to upload via mobile or Chromebook. I really wish they would solve this. 

Outside of that, I like everything else I have seen and think they should be your go to provider for safe and secure online storage.

Related articles:

  • Bruce Schnier on TNO here
  • Steve Gibson on TNO here.