Comment by quantadev 2 days ago
IMO the only way to perfectly protect yourself against Ransomware Attacks is with CD-Rs, because it's something not even hardware can alter. A skilled take over of the root level of a machine can be encrypting everything and you'd never know it, until the day it denies your access, by deleting an encryption key until you pay up to get it back...you hope.
Modern backup systems use reference counting mechanisms, which means you can set up any old versions policy you want. Something like "last 3 annual backups + last 12 monthly ones + last 8 weekly ones + last 30 daily ones" will help a lot against slow encryptors.
You'll want to ensure the malware can't destroy your backup, but that is possible too. A traditional way is to have a separate backup machine that runs backup program and pulls files remotely. Some backup apps can store directly to cloud storage and can work with "append only" permissions, to ensure that client can't delete existing backups. In this configuration, a separate trusted machine must run pruning periodically.
And what they say in the industries that need to take this ultra seriously (Banking and Insurance companies, for example) an untested backup is not considered a good backup. And the only way to truly test a backup is install a fresh image of the entire OS (using checksums on the image too), so that you can read the data and make sure no clever ransome-ware software is secretly encrypting EVEN your backups.
oh, btw. "Blockchains solve this" haha.
Well, yeah.. you never want to test backups on the same computer you made them, so to test them, you should go to secondary/friends/work computer and try to access the files. Boot from a fresh LiveUSB stick if you are feeling paranoid. At least once you have backup configured, there is often a fuse driver, so an easy way to do so is to browse backups and try to open a few documents at random.
As for "encrypting your backups", that's what the "check" command is for - it can't ensure that this .py file actually contains python code (and not encrypted data with ransomware message), but it can check that indices are well-formed, and file checksums match the uploaded contents. Obviously it should also be run on trusted machine.
Not sure what this whole "blockchain" comment was about.
That's a great idea about using just a LiveUSB thumb drive. Much better than my idea of actually "installing" a fresh OS.
The blockchain I mentioned was just a reference to the fact that with hashcodes on everything make corruptions at least detectable, but yeah it wasn't clear what I meant.
Fair enough! The danger with disks however is that it's an entirely manual operation which is easy to forget. Something setup-once-and-forget - local server or a cloud-based one like backblaze - is more likely to actually have the latest data when you need it.
(Another reason is that the disks do bit rot however, and you'll never know until it's too late. Meanwhile, my ZFS fileserver sends me a email every weekend that it's scrubbed all the disks and found no errors - this warms my heart :) )
It would be safer to use a read-only drive when reading back the backups.
Disk drives used to have a write-enable jumper on them. No more.
Or BD-Rs. 50GB on a single dual layer disc. Haven't finished the last spindle I bought, but I assume they're the cheapest per GB by now.
Checking diskprices.com - https://diskprices.com/?locale=us&condition=new,used&disk_ty... - there's a cheaper outlier for DVD-R, then it's 25GB BD-Rs for a bit.
LTO tape can be cheaper, but the cost of the drives has long been an obstacle to dabbling.
The problem goes away if you burn slow, no faster than half the disc's max speed, to adequately affect the dye. I have CD-Rs and DVD-Rs that are 20 years old and work great. Inherent rot is mainly a problem with pressed discs which use aluminum instead of silver or gold for the reflective layer.
I burn my CD-Rs at a very low speed, like someone else mentioned below, so the laser does a better burn. I don't use CD-Rs as primary backup. I have 10 external hard drives, 20 thumb drives, and do a CD-R only once every couple of weeks. I just feel better having multiple different hardware devices used.
Speaking of that...I need to look into online storage solutions myself. I mean even a zip file on Google Drive! Not doing that currently. I always rotate thru literally 20 different devices for my backups, but if a meteor hits my house it's all gone.
So many non-technical people think "a backup" is enough. I learned long ago to keep 20.
Things like RDX backup cartridges have a physical write protect lever on them
A few years ago (before affordable cloud backup offerings) this was fairly common for Small Businesses to use, for this reason.