A reader wonders:
How safe is shroud.com?
Barrie Schwortz’ shroud.com is an irreplaceable treasure. Could it disappear tomorrow because of hackers? It deals with a highly controversial topic that is unavoidably an affront to atheists and many religious people. As such it is a natural target for idealists or extremists of all kinds and particularly a group of hackers who call themselves “Anonymous.” They could probably take down the website in a few minutes. Would they also destroy backup copies of the website’s contents?
Is a full backup copy of the website stored somewhere such that it is inaccessible to the hosting company and the people, like Barrie, who update the site? THIS IS NOT A MATTER OF TRUST. It is about protection against spoofers and hackers of all kinds. Think in terms of identity theft. Could someone posing as a technician for the hosting company or posing as Barrie Schwortz erase the entire site and all backup copies? For protection against this sort of thing, password protected archives will not suffice. Third party backup companies doing multicyclic pull backups is essential. Push backups are vulnerable. If Barrie or a technician can erase or overwrite backup, then it will likely happen in the event of a takedown attack.
How much damage could someone posing as Barrie do? I imagine it would be 100%. Only files stored on third party systems or on dismounted DVD media would be safe. And how much damage could someone posing as a technician of the hosting company do in just a few minutes? Just as much.
After discovering what may have been an attempt to infiltrate my blog, I am implementing two-step authentication. For this I need a userid and password to gain access to the host and my cellphone, in hand, to confirm it is me who is signing on. As for backup, I’m trusting WordPress on a daily basis and I now plan to do monthly backups to DVD.
You may want to consider USB drive. You can get a 16GB for almost nothing which holds twice what a dual layer DVD does.
I went on our site one day to do some updates and it was not there. It was not a hacker, but the provider had performed server maintenance and inadvertently wiped out our site. If I didn’t make some changes, it would have been operational again in the amount of time it takes to upload everything. Offline backup is essential in this connected world.
Actually, this is something any of us can help with. If you download an application like HTTrack, it’s easy to create your own, local mirror or backup of any website. I have no idea how big the site is in bytes — after 18 years, probably very big — but assuming a decent broadband connection, you could have your own backup of the site within a few hours.. Thus, if the site were to go down or be compromised, you’d be able to help get it back up pronto. You could even set up a recurring, incremental backup that periodically scans the site for updates and downloads just those.
On a related note, don’t discount the value of cloud storage — not as a replacement for physical media but a supplement. Dropbox, box.com, SkyDrive, Google Docs, etc. all allow you to store huge amounts of data for free. Even the paid accounts which offer storage into the terrabytes are fairly reasonable. They’re also excellent for files you want to share with others or make publicly available.
Finally, once a ‘canonical’ backup of the site exists, it would probably be good to set it up for distribution as a torrent, as is explained here: http://www.sidewalkcrusaders.com/bthowto/btstart.html
Now I’m really getting carried away, so I’ll stop there. I’ve got to run to an IT meeting anyway (I know, big surprise.)
The hackers are getting more and more subtle and aggressive. Despite the good security on my own home PC, I’ve had two serious infections over the last year, one during a visit to the “JesusisKing” site. Blog sites, including WordPress sites, are favourite phishing targets for email addresses. The scammers are changing their malware signatures every few hours, and it is near impossible for the antivirus and security houses to keep abreast of the play. Keep your own security well up to date, and often. And if you get a ‘phone call from some plausible person claiming that your PC security is under threat but they will fix it for you, give them the bum’s rush! It’s just another scam!
Yes, I can guess that you have to do something to maintain the integrity for your site. It is a shame that there are evil atheists or non-believers who feel that they have to so something to stop anything that speaks of God. I guess that stopping the promulgation of Shroud material is a double hit. I have no suggestions as to anything you can do in addition to what you are doing mow though..
I have heard from many people on this subject today. I think the systems in question are secure. In particular, I have heard from Barrie. He’s on top of the situation, I’m convinced of that, and there is nothing to be gained from detailing how and what he does.
As for my blog, the one attempt I know of was a failed repetitive attempt to log in. Dual authentication now makes this nearly impossible. Even with my password, the hacker needs my physical cell phone and a bar code to log in. I am quite comfortable with it. I back up incrementally without images frequently. With images, I do so once a month and mail the backup DVD to a post office box where I keep three monthly cycles.