Comment by theamk
2 days ago
Modern backup systems use reference counting mechanisms, which means you can set up any old versions policy you want. Something like "last 3 annual backups + last 12 monthly ones + last 8 weekly ones + last 30 daily ones" will help a lot against slow encryptors.
You'll want to ensure the malware can't destroy your backup, but that is possible too. A traditional way is to have a separate backup machine that runs backup program and pulls files remotely. Some backup apps can store directly to cloud storage and can work with "append only" permissions, to ensure that client can't delete existing backups. In this configuration, a separate trusted machine must run pruning periodically.
And what they say in the industries that need to take this ultra seriously (Banking and Insurance companies, for example) an untested backup is not considered a good backup. And the only way to truly test a backup is install a fresh image of the entire OS (using checksums on the image too), so that you can read the data and make sure no clever ransome-ware software is secretly encrypting EVEN your backups.
oh, btw. "Blockchains solve this" haha.
Well, yeah.. you never want to test backups on the same computer you made them, so to test them, you should go to secondary/friends/work computer and try to access the files. Boot from a fresh LiveUSB stick if you are feeling paranoid. At least once you have backup configured, there is often a fuse driver, so an easy way to do so is to browse backups and try to open a few documents at random.
As for "encrypting your backups", that's what the "check" command is for - it can't ensure that this .py file actually contains python code (and not encrypted data with ransomware message), but it can check that indices are well-formed, and file checksums match the uploaded contents. Obviously it should also be run on trusted machine.
Not sure what this whole "blockchain" comment was about.
That's a great idea about using just a LiveUSB thumb drive. Much better than my idea of actually "installing" a fresh OS.
The blockchain I mentioned was just a reference to the fact that with hashcodes on everything make corruptions at least detectable, but yeah it wasn't clear what I meant.
That's all true, and probably a better system overall, but burning an optical disk, labelling it, and putting it on a shelf does feel like a more accessible backup regime for many people. :-)
Fair enough! The danger with disks however is that it's an entirely manual operation which is easy to forget. Something setup-once-and-forget - local server or a cloud-based one like backblaze - is more likely to actually have the latest data when you need it.
(Another reason is that the disks do bit rot however, and you'll never know until it's too late. Meanwhile, my ZFS fileserver sends me a email every weekend that it's scrubbed all the disks and found no errors - this warms my heart :) )