Software entrepreneur Joel Spolsky says that's a good start, but only part of it:
[L]et’s stop talking about “backups.” Doing a backup is too low a bar. Any experienced system administrator will tell you that they have a great backup plan, the trouble comes when you have to restore.
And that’s when you discover that:
- The backed-up files were encrypted with a cryptographically-secure key, the only copy of which was on the machine that was lost
- The server had enormous amounts of configuration information stored in the IIS metabase which wasn’t backed up
- The backup files were being copied to a FAT partition and were silently being truncated to 2GB
- Your backups were on an LTO drive which was lost with the data center, and you can’t get another LTO drive for three days
- And a million other things that can go wrong even when you “have” “backups.”
The minimum bar for a reliable service is not that you have done a backup, but that you have done a restore.
As someone who's got reliable, clockwork backups running, and has had them fail for one of the reasons Spolsky listed (and others that he didn't), I think this is tremendously good advice.
I don't know where this came from originally, but...well, look:
And you don't let a convicted hacker near the prison computers, either:
Douglas Havard, 27, serving six years for stealing up to £6.5million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written.
He was left unguarded and hacked into the system's hard drive at Ranby Prison, near Retford, Notts. Then he set up a series of passwords so no one else could get into the system.
How could this be worse? Glad you asked:
The blunder emerged a week after the Sunday Mirror revealed how an inmate at the same jail managed to get a key cut that opened every door.
It's scary when the Mirror starts to sound like the Onion...
(Via Bruce Schneier.
I can't wait to see what they'll have us do after this:
On the evening of Aug. 28, Prince Mohammed bin Nayef, the Saudi Deputy Interior Minister — and the man in charge of the kingdom’s counterterrorism efforts — was receiving members of the public in connection with the celebration of Ramadan....
One of the highlights of the Friday gathering was supposed to be the prince’s meeting with Abdullah Hassan Taleh al-Asiri, a Saudi man who was a wanted militant from al Qaeda in the Arabian Peninsula (AQAP). Al-Asiri had allegedly renounced terrorism and had requested to meet the prince in order to repent and then be accepted into the kingdom’s amnesty program. Such surrenders are not unprecedented....
But the al-Asiri case ended very differently from the al-Awfi case. Unlike al-Awfi, al-Asiri was not a genuine repentant — he was a human Trojan horse. After al-Asiri entered a small room to speak with Prince Mohammed, he activated a small improvised explosive device (IED) he had been carrying inside his anal cavity. The resulting explosion ripped al-Asiri to shreds but only lightly injured the shocked prince — the target of al-Asiri’s unsuccessful assassination attempt.
(Via Bruce Schneier.)
I learned a valuable lesson yesterday: when you lock your computer to your hotel room desk, and you put the cable-lock key in your pocket, you have to remove the key from your pocket before sending the slacks down to the laundry.
This realization crept up on me over a very quiet 90-second period that started when I looked in my room safe for the key and didn't find it there.
I won't keep you in suspense: housekeeping found and returned the key this morning. This is good, because I had no idea how I was going to fit the desk in the overhead compartment on my flight home.
Photos and reviews of Ribfest tomorrow morning. Right now, though, I'm all about the novelty of updating TDP from my phone. Also tomorrow, I'll explain why this is a bigger deal than it seems.
Via Bruce Schneier, a demonstrably incompetent police chief in the UK has resigned after mishandling a secret document:
Police were forced to carry out raids on addresses in the north-west of England in broad daylight yesterday, earlier than planned, after [Bob] Quick, the Metropolitan police's assistant commissioner [and senior-most counter-terrorism official], was photographed carrying sensitive documents as he arrived for a meeting in Downing Street.
A white document marked "secret", which carried details of the operation being planned by MI5 and several police forces, was clearly visible to press photographers equipped with telephoto lenses.
Yesterday, realising the existence of the photographs of the document – which included the names of several senior officers, sensitive locations and details about the nature of the overseas threat – the government imposed a "D notice" to restrict the media from revealing the contents of the picture.
The Guardian article has a photo of the document, taken as Quick got out of his car.
Police also revealed that Quick's Windows password was "bob1" and that he routinely leaves his keys in his car "so [he'll know] where to find them."
Two examples of totally ineffective security responses in today's news. First, in suburban Chicago, a commuter-rail ticket agent called police about a man with a gun boarding a train, causing a two-hour delay as heavily-armed cops evacuated and searched the train. They found the man with the gun when the man in question saw the commotion and identified himself as a Secret Service agent, not realizing he was himself the target of the search:
Metra spokeswoman Judy Pardonnet said the incident began when a plainclothes Secret Service agent asked a Naperville ticket agent whether there were metal detectors aboard the BNSF Line train and indicated he was carrying a gun.
Kristina Schmidt of the Secret Service office in Chicago said a preliminary review showed the agent had acted properly and identified himself to the ticketing staff.
Schmidt said the agent noticed the Metra employees eyes go to his waist and look at his service weapon as he was taking out his wallet to buy a ticket.
"He verbally identified himself as law enforcement and said that he was armed," Schmidt said. "That was pretty much the extent of their conversation."
Assuming all was fine, the agent boarded the train, she said.
It was a few minutes later that police boarded the train. The agent again identified himself, Schmidt said, not realizing his interaction with the Metra employee had led to the train being stopped.
The ticket agent had told police a suspicious man was asking "unusual questions that were security-based" at the Naperville Metra station, Naperville Police Cmdr. Dave Hoffman had said. Officers were unsure if the man got on the train so authorities decided to stop it near Lisle to search for him, he said.
Farther afield, in the U.K., a official for a prision lost an encrypted memory stick containing personal health information about prisoners. The problem? The password was taped to the stick (via Bruce Schneier):
Health bosses have apologised after a memory stick containing patient information was lost at Preston Prison.
An urgent investigation was launched after the USB data stick – with the password attached to it on a memo note – went missing on Tuesday, December 30.
The stick may have contained information of up to 6,360 patients.
Kudos to everyone involved for using your heads and keeping us all safe!
Via Bruce Schneier, a woman brought clearly-labeled gunpowder through a TSA checkpoint, in the regulation size baggies:
Mind you, I had packed the stuff safely. It was in three separate jars: one of charcoal, one of sulphur, and one of saltpetre (potassium nitrate). Each jar was labeled: Charcoal, Sulphur, Saltpetre. I had also thoroughly wet down each powder with tap water. No ignition was possible. As a good citizen, I had packed the resulting pastes into a quart-sized "3-1-1" plastic bag, along with my shampoo and hand cream. This bag I took out of my messenger bag and put on top of my bin of belongings, turned so that the labels were easy for the TSA inspector to read.
I expect she'll get noticed the next time she flies...
From my dad, yet another New York Times article to make you all warm and fuzzy inside:
Thieves Winning Online War, Maybe in Your PC
Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.
As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year.
Sigh.