Comment by quantadev
3 days ago
IMO the only way to perfectly protect yourself against Ransomware Attacks is with CD-Rs, because it's something not even hardware can alter. A skilled take over of the root level of a machine can be encrypting everything and you'd never know it, until the day it denies your access, by deleting an encryption key until you pay up to get it back...you hope.
Things like RDX backup cartridges have a physical write protect lever on them
A few years ago (before affordable cloud backup offerings) this was fairly common for Small Businesses to use, for this reason.
Only works if the software cannot circumvent it (implemented fully in hardware).
Modern backup systems use reference counting mechanisms, which means you can set up any old versions policy you want. Something like "last 3 annual backups + last 12 monthly ones + last 8 weekly ones + last 30 daily ones" will help a lot against slow encryptors.
You'll want to ensure the malware can't destroy your backup, but that is possible too. A traditional way is to have a separate backup machine that runs backup program and pulls files remotely. Some backup apps can store directly to cloud storage and can work with "append only" permissions, to ensure that client can't delete existing backups. In this configuration, a separate trusted machine must run pruning periodically.
And what they say in the industries that need to take this ultra seriously (Banking and Insurance companies, for example) an untested backup is not considered a good backup. And the only way to truly test a backup is install a fresh image of the entire OS (using checksums on the image too), so that you can read the data and make sure no clever ransome-ware software is secretly encrypting EVEN your backups.
oh, btw. "Blockchains solve this" haha.
Well, yeah.. you never want to test backups on the same computer you made them, so to test them, you should go to secondary/friends/work computer and try to access the files. Boot from a fresh LiveUSB stick if you are feeling paranoid. At least once you have backup configured, there is often a fuse driver, so an easy way to do so is to browse backups and try to open a few documents at random.
As for "encrypting your backups", that's what the "check" command is for - it can't ensure that this .py file actually contains python code (and not encrypted data with ransomware message), but it can check that indices are well-formed, and file checksums match the uploaded contents. Obviously it should also be run on trusted machine.
Not sure what this whole "blockchain" comment was about.
1 reply →
That's all true, and probably a better system overall, but burning an optical disk, labelling it, and putting it on a shelf does feel like a more accessible backup regime for many people. :-)
Fair enough! The danger with disks however is that it's an entirely manual operation which is easy to forget. Something setup-once-and-forget - local server or a cloud-based one like backblaze - is more likely to actually have the latest data when you need it.
(Another reason is that the disks do bit rot however, and you'll never know until it's too late. Meanwhile, my ZFS fileserver sends me a email every weekend that it's scrubbed all the disks and found no errors - this warms my heart :) )
Can a CD-R drive force a second pass burning over existing data to make the disc unusable? Perhaps with drive firmware modification.
Afaik you can "erase" contents of a disk with open session. Data is still there just invisible without specialized tools, enough to fool non nerds.
It would be safer to use a read-only drive when reading back the backups.
Disk drives used to have a write-enable jumper on them. No more.
IIRC, those were more of a suggestion from the drive to prevent writing. It didn’t actually physically prevent it from being overwritten.
Drives? I havent seen one yet. Floppies yes, but just like SD cards its just a plastic piece being read by controller GPIO and a mere suggestion to the hardware.
There are forensic Write blockers for drives tho starting at around $200 for SATA/IDE solution.
Some of really old SCSI and (I think)IDE HDDs did have "WP" jumper positions. I don't know practically how it was implemented, though.
What about DVD-Rs and DVD+Rs?
Or BD-Rs. 50GB on a single dual layer disc. Haven't finished the last spindle I bought, but I assume they're the cheapest per GB by now.
Checking diskprices.com - https://diskprices.com/?locale=us&condition=new,used&disk_ty... - there's a cheaper outlier for DVD-R, then it's 25GB BD-Rs for a bit.
LTO tape can be cheaper, but the cost of the drives has long been an obstacle to dabbling.
1 reply →
You don't need to worry about ransomware destroying the data on your writable DVDs, the discs themselves can do that fine.
Yeah disc rot is a real problem. CD/DVD-R are great when it comes to physically store drives (they don't take much space on a shelf and are easely sent via mail) but I'd rather use a hard drive and the cloud for my backups now.
2 replies →
i use dropbox
Speaking of that...I need to look into online storage solutions myself. I mean even a zip file on Google Drive! Not doing that currently. I always rotate thru literally 20 different devices for my backups, but if a meteor hits my house it's all gone.
So many non-technical people think "a backup" is enough. I learned long ago to keep 20.
I personally use a hard drive in my house, and a cold storage solution (Glacier) from a reputable provider.
This would have been a great comment if you were that original 'why not use FTP?' guy :)
I use FTP.