Archive for August 22, 2017

Tuesday, August 22, 2017

What You Can Learn From LockState

Mark Bessey:

The root cause of this incident was apparently that LockState had produced an update intended for one model of their smart locks, and somehow managed to send that to a bunch of locks that were a different model. […] It’s trivially-easy to avoid this issue, using a variety of different techniques. Something as simple as using a different file name for firmware for different devices would suffice. If not that, you can have a “magic number” at a known offset in the file, or a digital signature that uses a key unique to the device model.

[…]

Every remote firmware update process should have the ability to be tested internally via the same process end-users would use, but from a staging environment.

[…]

Tying into the previous point, wouldn’t it be great if you could measure the percentage of systems that were successfully updating, and automatically throttle the update process based on that feedback?

Cloudflare’s Lava Lamps

Katharine Schwab:

When you walk into the San Francisco office of the cloud network and security firm Cloudflare, you’re greeted by a receptionist–and a giant wall of 100 lava lamps. It isn’t just a throwback to the 1960s. The lava lamps act as a random number generator, helping to encrypt the requests that go through Cloudflare, which make up 10% of all internet requests.

[…]

Cloudflare turns the “Wall of Entropy” into encryption using a camera that photographs the wall every millisecond of every day of the year. Any one of the company’s systems can turn the display of pixels–which changes based on a multitude of factors, like the movement of the lava, the inclusion of anyone who’s walking by, and the shifting daylight–into random numbers.

[…]

In London, they use dual pendulums. While a single pendulum swinging back and forth is very predictable, mathematicians have shown that if you take a pendulum and hang another pendulum from it, you’ll create a system that no one has figured out how to model.

Swift 4: Synthesizing Equatable and Hashable Conformance

SE-0185:

Developers have to write large amounts of boilerplate code to support equatability and hashability of complex types. This proposal offers a way for the compiler to automatically synthesize conformance to Equatable and Hashable to reduce this boilerplate, in a subset of scenarios where generating the correct implementation is known to be possible.

Terrific.

CrashPlan Discontinues Consumer Backups

CrashPlan (Hacker News, MacRumors, Reddit, 9to5Mac, Backblaze):

Thank you for being a CrashPlan® for Home customer. We’re honored that you’ve trusted us to protect your data.

It’s because of this trust that we want you to know that we have shifted our business strategy to focus on the enterprise and small business segments. This means that over the next 14 months we will be exiting the consumer market and you must choose another option for data backup before your subscription expires. We are committed to providing you with an easy and efficient transition.

They’re keeping the small business plan, which at $10/month is twice the cost of the individual version (which itself had gone up quite a lot in recent years). This is the only transition option that will preserve your years of backup history. If you switch to another provider and later find out that you need to restore a version of a file from 2016, you’re out of luck. Plus, depending on your data set and connection speed—my mother has less than 100 GB of data but only a DSL connection—it may take months just to upload the current versions of your files to another provider.

I’m not sure what differences there might be in switching to the business version, but based on the way the company has behaved I no longer want to rely on them. I would prefer to transition my family members to a service equivalent to CrashPlan Home, but there doesn’t seem to be one that’s good. (See the Backblaze and Carbonite caveats below.) Right now, the leading contender is probably Arq, which is a bit more complicated to set up and not as easy to remotely monitor, though probably cheaper in the long run.

For years, I’ve relied on CrashPlan both as an offsite backup and as a long-term history. I have a bunch of clone drives that I don’t rotate, so I have some ability to go back and get old files. But what I liked about CrashPlan was that it would let me go back and get any version of any file. That’s not easy to manage with local backups both because of the available software and the limited drive sizes.

After running into CrashPlan limitations a few months ago, I realized that I could no longer rely on it for long-term history and started using local Arq backups for that. However, I’d like to find another solution (other than clones and Time Machine, which corrupts itself too often) so that I don’t have all my eggs in one basket.

Joe Payne:

This is not an easy course of action for us at Code42 for a couple of reasons. First, we have consumers who love our CrashPlan for Home product and trust us every day to protect their personal files. Second, our number one core value at Code42 is “Put the Customer First” and our announcement today may seem to be at odds with that. But, it is precisely this core value that led us to the strategic decision to focus on business customers. And, in order to serve businesses well, we need to prioritize their needs–which have diverged from the needs of the consumer.

[…]

The benefit for our business customers is that we now have a singular focus on solving their complex data protection, security and compliance challenges. In addition, we will be able to accelerate our R&D investments that strengthen our technology foundation and further our data protection innovations.

Joe Kissell:

On 22 October 2018, the consumer version of the CrashPlan app will stop working entirely — that includes local and peer-to-peer backups. So, even if you weren’t backing up to CrashPlan Central (Code42’s cloud storage space for consumers), you won’t be able to keep using the CrashPlan app.

[…]

Code42 offers a discount on a Carbonite subscription, along with assistance in migrating to Carbonite. […] Unfortunately, while Carbonite is not bad on Windows, I would not recommend it to Mac users, because the Mac version offers neither versioning nor the option to use a personal encryption key. Plus, Carbonite artificially restricts upstream bandwidth, making it significantly slower than many competitors.

[…]

Backblaze is fast, reliable, and secure, and it costs $5 per month per computer. […] Backblaze stores deleted files and older versions of files for only 30 days, whereas CrashPlan lets you keep them indefinitely.

[…]

As angry as I am about this news, I’m livid about being misled.

Over the past few years, Code42 has made several moves that, in retrospect, were the proverbial writing on the wall. […] Each time one of these things happened, I wrote to my contacts at Code42, who downplayed the significance of these changes and assured me, repeatedly, of their ongoing commitment to the consumer market.

Update (2017-08-24): Peter Cohen:

Look, not to go all Fox Mulder here, but Crashplan’s consumer product pullout demonstrates an important principle: You can’t trust anyone when it comes to the safety of your data.

That’s why your first defense against data loss should be the local backup. Preferably multiple copies, but that amount of redundancy may not be for everyone. But don’t trust yourself. Find an offsite service that you trust to store your data. Use them as a secondary line of defense.

Storing your valuable data in the cloud is an excellent backup practice. Just don’t make it your only one.

Update (2017-08-28): See also: Backblaze (FAQ, tweet), Retrospect.

Charles Perry:

If @crashplan had simply raised prices, I would have paid. But if I have to redesign my backup strategy anyway, I might as well shop around.

Update (2017-08-29): See also: MacVoices.

Update (2017-09-04): One great feature of CrashPlan was the regular e-mails telling me when each Mac last backed up and how much data had been copied. Unfortunately, the e-mail that I got from Backblaze was actually misleading. About two weeks after removing the Backblaze trial from my Mac, I got an e-mail telling me that my files “are automatically being backed up.”

This is a good MacInTouch thread about Backblaze, CrashPlan, and Retrospect (via John Gordon).

Update (2017-10-03): Joe Kissell:

After carefully comparing 19 services and testing six, we believe that Backblaze (currently $50 per year per computer) is the best online backup service for most people, as it offers a great combination of useful features, unlimited storage, and excellent performance at an attractive price—the proverbial cost of a latte per month. Backblaze offers fast, reliable backups, as well as the simplest setup process I’ve seen and a number of nice touches.

[…]

Runner-up IDrive is more expensive than Backblaze and offers only 2 TB of storage, but it lets you back up from or to network volumes, offers indefinite retention of deleted files and old versions of files, lets you seed an initial backup at no charge, and provides the fastest throughput of any service in our test group. If Backblaze isn’t suitable for your needs and you’re willing to spend a bit more, IDrive may be an excellent choice.