Be Paranoid About Your Data

Last week wasn’t a very good week.  Over the weekend the hard drive on my iMac failed and by failing Mac OS X said it couldn’t repair the drive so it came up read only mode.  So I did the sensible thing and copied the entire contents to my external Drobo (essentially striped RAID).

Then Monday morning the Drobo wouldn’t boot up.  It would just do a continuous boot and restart.  Not good, but at the end of the day all of our most important stuff, the source code for projects, is stored on a commercial source code hosting service.  In case of theft or disaster of my equipment I’m only down as long as it takes me to buy a new computer and download the repositories.

The Mac hard drive was replaced by Monday night and by Monday afternoon Drobo tech support had the Drobo back up and running.  They didn’t give a reason but I suspect that because the Mac had hard crashed a few times (due to the bad drive) it got into a state that it didn’t know how to recover from.  But it works and I didn’t lose any data.

Tuesday when things started to go back to normal we couldn’t reach our source code hosting service, Code Spaces.  On Twitter they said they were experiencing a DDOS attack and I didn’t worry to much about it.  They’re the experts, right?

By Wednesday they still weren’t back up.  A little concerned I went to their website and found the message that you never want to hear.  They accounts had been hacked and ALL of their repositories had been deleted.  Oh, and pretty much immediately they are ceasing operations as a company.  You can read more about it at http://www.codespaces.com and http://www.electronista.com/articles/14/06/18/hosting.company.returning.what.data.it.has.left.financially.crippled.by.attack/

So much for the offsite backups.  The fact that the backups could be accessed through their Amazon Web Services account should give anyone pause for concern.  Is your web services company really paranoid enough to protect your data?

I know more than a few people have given Xojo some grief that their security for Xojo Cloud is over the top.  Maybe it is, but then you hear stories like this and you start to wonder if maybe being overly paranoid is a good thing.

So here is my advice.  Have multiple sources of backups.  Keep one source in a safety deposit box and update it regularly.  Use a commercial host that you trust.  There’s no guarantee they they won’t be the next Code Spaces and get hacked but hopefully this incident was a warning to them to be more paranoid and strengthen their security procedures.

I know of developers that backup everything to a thumb drive on their keyring.  I’m not sure that’s entirely secure but if that makes them feel better so be it.  At least their source code is always with them.

While last week was not a good week at least I’m learning to be even more paranoid about my data.  Being paranoid about your data is a good thing.

Xojo: Operation Lockdown

It’s always nice when a client gets to talk in the keynote address at Real World (now Xojo Developer Conference).  Brent Huston, CEO of Microsolved, was invited to speak during the Xojo keynote address last week.  Brent talked about the Operation Lockdown that his company, Real Software (Xojo, Inc.) and BKeeney Software are participating in.

Brent has been using Real Studio desktop applications for some of his security apps for a number of years with great success.  He’s now interested in Web Edition and wanted to see where the vulnerabilities were in the framework and what we could to do fix them.

We (BKeeney Software) came up with a simple Web Edition app that mimics what a typical web app would have in it (Login page, admin only pages, user pages, etc) and hardened it to the best of our ability.  Brent’s team then took the standalone web app and used their hundreds of hacking and infiltration tools to see if it would fail.  They also attempted manual penetration testing of the web app.

I’d love to say they found nothing but that’s not the case.  They found a few critical, a few minor, and a few false positive issues.  The good thing is that the critical issues have already been taken care of by Real Software and will be in Xojo Release 1.  Some of the minor issues and other requirements will be added later, according to Xojo, Inc.

The very good news is that the Web Edition framework is pretty stable.  The Session management, according to Brent, is very robust against all known forms of attack.  Using some very simple coding techniques Web Edition web apps proved to be immune to SQL injection attacks and other common vulnerabilities.

Brent recommended that when Xojo R1 is released all Web Edition developers re-release their web apps compiled with it since a number of items his team found are fixed in the upcoming version.

During a Friday session Brent shared, with a packed room, how bad guys (and certain nation states) view your web applications and data.  It was very, very scary stuff and I think everyone walked out of the room wondering not IF our personal/business data has been hacked but how long ago it was compromised.  Scary stuff.

Lot’s of things to think about but it was encouraging to hear that Web Edition was pretty secure.  Perhaps what’s even better is that I overheard a Xojo engineer saying something to the effect of, “That will be changed for R1 to prevent THAT issue from happening,” in reference to a “man in browser” vulnerability.  It’s nice to know they’re taking security seriously in Web Edition (though the irony of their website getting hacked did not go unnoticed by conference attendees).