Category Archives: Tools

CloudBerry Backup

Backups are important. I tell people that they should think about how much work would be involved if they lost all their data, and had to create or gather it all again. Considering that work is usually enough to get people talking seriously about backups.

This consideration informs decisions about the backup process to be used: what should be backed up, how often backups should run, where backups will be stored, and how many backup versions will be kept.

My own backup requirements are like those of anyone who has done any amount of work that they would hate to lose: documents, email, financial records, pictures, artwork, and even browser bookmarks. The only difference is that I also provide full or partial backup services to my clients.

A few years ago, I realized that I needed an off-site backup system to complement my local backups. In the nightmare scenario involving total loss of all computers and storage devices resulting from a house or office fire, all local backups would also be lost.

And so I started looking at backup software that would allow me to maintain backups of critical data somewhere besides my home/office.

Storage required

Off-site backup storage takes many forms, including taking physical backup media off-site daily. These days it most often involves a paid service such as Amazon S3.

Remote services are often referred to as ‘cloud’ services, but they mean the same thing: the service runs on someone else’s computer. Of course, storing your irreplacable, private data on someone else’s computer sounds scarier than storing it ‘in the cloud’ so that’s the term we hear most often.

There are some special considerations when you start looking at using cloud storage for backups: additional costs, network bandwidth, vendor trustworthiness, privacy, and encryption.

The encryption issue alone requires careful consideration. Is your data encrypted in transit? Is it stored in encrypted form on the cloud service? Who has the keys to decrypt your data?

For my own backups, I settled on the DreamObjects storage service provided by Dreamhost. I’ve been using Dreamhost for client web sites and related services for years, and I’ve always found their support to be first rate. I have had a few problems with the DreamObjects service, including some reliability issues, but these were resolved quickly and satisfactorily by Dreamhost support.

My requirements

In my recent search for an off-site backup solution, I settled on the following requirements:

  • Runs on my main PC (Windows 8.1).
  • Stable and reliable.
  • Reasonably fast.
  • Incremental backups (back up only changed files).
  • Transmit only changed data (to save bandwidth).
  • A built-in scheduler, or compatibility with Windows Task Scheduler.
  • Compatible with DreamObjects, itself an S3-compatible service.
  • Data is encrypted in transit and when stored.
  • Storage provider does not possess encryption keys.
  • Ability to limit bandwidth used during backup operations.
  • Ability to limit the amount of storage used.
  • Backup storage pruning based on number of copies and/or storage used.
  • Straightforward restore process and tools.
  • Useful logging.
  • Does not use excessive computing resources (memory, processor, local storage, handles, and disk I/O).
  • The ability to include and exclude files and folders based on various criteria.

Enter CloudBerry

I looked at numerous possible solutions, and even purchased a few that looked promising but ultimately failed to meet my requirements, including qBackup, Arq5, Arq7, and GoodSync. I also looked again at Cobian Backup, which I still use for local backups, and Allway Sync, which I use for fast syncing of critical data to thumb drives, but they also failed to meet my needs for off-site backup.

CloudBerry was just the next solution on my list. I had never even heard of it before reading about it in this Reddit thread.

CloudBerry Backup can be downloaded and installed on a trial basis for two weeks. That was plenty long enough for me to learn what I needed.

CloudBerry Backup Features

See that list of requirements a few paragraphs back? Well, CloudBerry Backup checks all those boxes, and then some. CBB works with many storage servies, including Amazon S3, Amazon S3 Glacier, Microsoft Azure, Google Cloud, Backblaze B2, Wasabi, OpenStack, various S3-compatible storage and others.

Other notable CloudBerry Backup features:

  • Grandfather-Father-Son (GFS) retention policy support
  • Backups to local drives and NAS-like storage devices
  • Microsoft SQL Server backups
  • Microsoft Exchange backups
  • Synthetic Backup for File, Image-based, VMware backups
  • Bare-metal recovery (create recovery disks and USB drives)
  • Cloud Backups (cloud-to-cloud, and cloud-to-local)
  • Image-based backups (physical or virtual machine image)
  • Modified Block Tracking for Image-based backups
  • Support for various virtual machine formats (Hyper-V, VMware, VirtualBox, and RAW)
  • Restoring image-based backups as Amazon EC2, Microsoft Azure VM, and Google Compute Engine instances
  • Hybrid (two-step) backup (applies to the legacy format only)
  • Client-side Deduplication
  • Mandatory and Full Consistency Checks
  • Backup Chains and Custom Scripts Support

One huge bonus CloudBerry provides is a clean, well thought-out user interface. This wasn’t on my requirements list, because although UI is important, backup software is typically set up once and then runs in the background. So I can live with a crappy UI in backup software, as long as it’s otherwise good. That’s unlike software I use every day, such as my email client, web browser, and document-based office applications.

A well thought-out user interface also makes CloudBerry Backup a legitimate solution for the less technically-inclined among us. In using CBB, I frequently discovered what I was looking for without any searching for functions or settings. Preset defaults made sense, and the backup plan creation wizard is excellent. CBB even creates several backup plans automatically, for documents, web browser bookmarks, and pictures; these need only a destination to be configured before they can be used.

CloudBerry Backup Pricing and Licensing

CloudBerry Lab was founded in 2011, but is in the process of rebranding itself as MSP360, so the company web site refers to both names. For now, the product I’m interested in is MSP360’s CloudBerry Backup Desktop Edition, which sells for $49.99 USD. The company provides other backup software and services aimed at business, corporate, and educational customers. There’s also a free version of CloudBerry Backup, but it has some limitations that make it unsuitable for my purposes.

When you purchase CloudBerry Backup Desktop Edition, you have the option of paying an extra $10 USD for a year of annual maintenance. The MSP360 web site isn’t exactly clear about what this provides, but it does include support, and may be the only way to obtain software updates. If you want and/or need support, the $10/year price seems reasonable.

Conclusions

Great software makes me happy. CloudBerry Backup qualifies, and my search for an off-site backup solution is over for now.

If you or anyone you know could use an excellent backup solution, whether or not they need off-site storage, you won’t go wrong recommending CloudBerry Backup.

EdgeDeflector prevents Windows 10 from using Edge

The battle for web browser dominance on the Windows desktop continues, although Google is currently winning. “Google recommends using Chrome” messages seem to appear on every Google-managed web page even if you’re already using Chrome. But while annoying, those messages are arguably reasonable compared with some of Microsoft’s recent tactics.

Microsoft likes to reset certain settings back to their defaults when Windows updates are installed. They’ve been doing this for years, reverting user browser preference to Internet Explorer at every opportunity.

As a result, power users and software developers have been engaged in a tug of war with Microsoft over the default web browser in Windows. In recent years, Microsoft has made it impossible for the default browser to be changed by software, forcing browser makers to instead provide instructions to users on how to make that change. Microsoft can of course claim that this change was made to improve security, and given the prevalance of browser hijackers in past years, it’s difficult to disagree.

With Edge in Windows 10, Microsoft has taken this battle to new extremes. Even if you have another browser selected as the default, some sites and services will always be opened in Edge. To see this in action, click on the taskbar search box. A large panel will open, showing news and weather links. Anything you click here will open in Edge, not in your default browser.

That’s because internally, Windows is using a special protocol called URL:microsoft-edge, which forces the use of Edge for opening web pages that Microsoft has designated as special in some way, despite being ordinary web pages in every sense.

This is of course exactly the sort of behaviour that got Microsoft in trouble in the 1990s: using their dominance in the desktop O/S market to push their own web browser. But these days everyone’s attention seems to be on Google and Facebook, and Microsoft’s browser pushback is being largely ignored.

EdgeDeflector to the rescue

Daniel Aleksandersen’s EdgeDeflector is a small tool that overrides the URL:microsoft-edge protocol’s normal behaviour, forcing it to actually use the web browser you’ve chosen as the default. EdgeDeflector was recently updated to make it more palatable to anti-malware software, which previously flagged the tool as suspicious because of its behaviour.

You’ll have to change this Windows 10 setting manually to make EdgeDeflector work.

Once you install EdgeDeflector, you need to complete its setup with some manual steps. I can confirm that the end result is exactly as advertised: even when clicking news links from the Windows 10 search panel, those links will open in your default browser, not in Edge.

Of course, Microsoft will probably take steps to defeat this useful tool, with the most obvious step being to revert the changes EdgeDeflector has made when Windows 10 is next updated. And so there are no winners in this stupid, never-ending battle.

Deciding whether to install a web ad blocker

I just discovered an interesting and useful web site: Should I Block Ads?

Created by Michael Howell, it’s collection of information that can be helpful in deciding whether to install an ad blocker in your web browser. It also provides ad-blocker recommendations for various platforms and browsers.

Michael’s analysis addresses all of the concerns I’ve had with web-based advertising, and confirms my choice to install and use uBlock Origin in Firefox, my primary web browser.

If you’re considering installing an ad blocker in your web browser, keep in mind that there can be a bit of a learning curve, and that blocking ads can cause some web sites to stop working. Blocking web ads usually ends up being an ongoing process; don’t expect it to be a magic bullet.

There are of course arguments against ad-blocking. Just keep in mind that a site owner always has the option of placing hand-crafted advertisements on their site; as long as they don’t use Javascript and are not associated with known advertising networks, they will not be blocked.

Hook: find without searching

A new software tool from CogSci Apps called Hook lets you link together web sites, emails, documents, and many other resoures, making it a simple matter to find those resources again later. Open one resource, then use Hook to open any or all of the related resources.

Here’s an exerpt from the Hook web site:

Hook for macOS
Find without searching.
Instantly access the information you need, without searching. Whether it’s in the Finder, email, on the web, in the cloud, a version-control system, … almost anywhere.

Currently available only for Mac, a Windows version is in the early planning stages.

If you have a Mac and want to try Hook, you can download the free version from the Hook Download page.

Paid versions of Hook include more features. You can see how the different versions compare on the Hook Buy page.

JRC is a CogSci Apps affiliate. If you purchase a paid version of Hook within 30 days after visiting the Hook Buy page using any Hook Buy page link on this page, Jeff Rivett Consulting will receive 15% of the purchase price.

It’s probably a good idea to stop using LastPass right now

Password management tools are generally a good thing. Most of us have so many passwords now that remembering them all is difficult. While it’s tempting to use one or two passwords everywhere, this is generally viewed as a bad idea. Same goes for short or easy-to-guess passwords: bad idea.

I recommend using password management software that runs natively, on your computer. I personally use Password Corral, and have used Bruce Schneier’s Password Safe. Both store your password data on your computer, not on someone else’s computer (aka ‘the cloud’). Both are relatively basic in terms of functionality: they allow you to store all of your passwords securely; password data is encrypted and protected by a master password. They can also generate new, random passwords.

There are plenty of other password management solutions out there. Some of the most popular ones, like LastPass, provide more features and are easier to use, but there’s typically a cost. For instance, it would definitely be convenient if I could access my passwords from any computer. But if that means my password data is stored on the cloud somewhere, well, no thanks. The same goes for browser extensions that enter passwords automatically.

Which brings us to yesterday, when a Google Project Zero security researcher reported a serious vulnerability in the LastPass browser extension. With the extension enabled in your browser, a malicious web site could steal all of your passwords from the LastPass data files. Yikes. But wait, there’s more! If you’re also running the main LastPass software on your computer, a malicious web site could execute arbitrary code on your computer.

LastPass issued a response to this report, confirming the problem. Their advice to users is vague, but that’s actually a good thing: if they said too much, it could provide clues about the vulnerability to malicious hackers. But the message is clear: if you have to use LastPass, disable the Lastpass browser plugin:

Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.

Interestingly, of the three recommendations provided, two are standard advice for anyone who uses the web: enable and use Two-Factor Authentication for sites and services that offer it; and be wary of phishing attempts.

Review: Heimdal Security Software

I’m always on the lookout for tools that simplify the task of keeping software up to date. I recently installed Heimdal Security Free on my Windows 8.1 PC, and took a close look at its software patching feature.

Note: the paid version of Heimdal Security includes network traffic-based malware detection. That feature appears in the free version, but it’s disabled.

The Good

The software basically does what it says. By default, it automatically checks for out of date software, and silently installs updates where needed. The software it checks includes the vulnerability-prone Flash and Java, as well as all the major browsers. It’s fast, relatively unobtrusive, and has a polished, professional user interface.

The patching system can be customized: you can tell it to only check for updates, but NOT install them automatically, and you can disable checking for anything in its software list, which currently includes forty-one items.

The Bad

  • If you disable the auto-update feature, there’s no obvious way to install new versions.
  • The ‘Recommended Software’ tab has Install buttons, which at first looks useful. But closer inspection reveals that this list only shows software that isn’t currently installed. In fact, it lists some software I’ve never even heard of, much less installed.
  • Heimdal detects software that is available in both 32- and 64-bit versions. But if you have the 32-bit version installed, the ‘Recommended Software’ tab will list the 64-bit version. And vice-versa. This is not useful.
  • There’s no obvious way to tell Heimdal to perform a re-scan. I eventually realized that disabling the feature and re-enabling it does that, but a ‘Scan’ button would be a real improvement.
  • The software list cuts off some important information: the software version number is often truncated, making definite confirmation of version changes difficult. And there’s no way to resize the column, or the dialog. Update: I discovered that the missing information can be revealed by hovering the mouse over a truncated field.
  • Heimdal shows some software as needing an update when in fact that software is up to date. For example, it continues to report an available update for 7-Zip 16.04: to version 16.04.0. It looks like Heimdal fails to match versions when there are extra zeros.
  • There’s no way to shut down Heimdal once it’s installed. There’s an icon in the notification area, but it doesn’t even have a right-click menu. Your only option is to uninstall Heimdal completely.
  • When Heimdal installs something from the ‘Recommended Software’ tab, it configures itself to automatically update that software. An option to override this behaviour would be helpful.

It’s possible that some of these issues would not present themselves if I configured Heimdal to install updates automatically, but I prefer to have more control over software installation.

Conclusion

Despite its flaws, Heimdal may prove useful to some users. But I can’t recommend it.

Update 2017JFeb01: Heimdal responded to my review, addressing my concerns:

For the moment, Heimdal does not have the option to install updates manually. We wanted to make software updates fast, secure and hassle-free for Heimdal users and adding a manual option would be the opposite of that.

My response: that’s just silly. Make it an option, but default to automatic. Most users would never even see the option. It wouldn’t make anything slower, or less secure, or increase hassle. And all the necessary functionality is already in place.

We called it “recommended software” because it not installed on the system. These are apps you can install with one click, should you want to do it. If not, they don’t impede you in any way.

My response: Understood, but it’s kind of misleading, especially since in some cases they are recommending 32 bit versions of software already installed in 64 bit form.

Indeed, this is something we will work on improving, so we can match software versions to the type of system they’re recommended for.

The scan button is in Heimdal’s home screen, when you hover over the big white button with the green checkmark. We will try to make this more obvious in future versions.

My response: on the Overview tab, there’s a big white icon that’s either a checkmark (if everything is up to date) or an exclamation mark (if it isn’t). Nothing appears when you hover the mouse over this icon, and there’s no indication that clicking it will do anything. But it does work, so it would be nice to have this properly labeled.

Making windows resizable is not something customary to security applications (it would create an unnecessary burden on the system), but we will try to rearrange the elements so that they provide a clearer view in future updates.

My response: Making windows resizable is in fact standard for all Windows applications, and those that don’t allow this are probably not following Windows development guidelines. Further, the notion that adding this functionality would somehow place a ‘burden on the system’ is simply absurd. But the indicated fixes will be welcome in the absence of resize-ability.

Heimdal shows some software as needing an update when in fact that software is up to date.

I think that our support team can help you with that. If you can, send them an email at support@heimdalsecurity.com and they’ll be right on it!

My response: Done. After some back and forth, Heimdal support reproduced one of the problems on their end (7-Zip version detection), and is working on a fix.

We will add a right-click menu in the coming versions. There is no option to shut down Heimdal, because security software usually does not have this feature. If it had it, malware could easily switch it off and infect the system.

My response: if malware is present on a computer, it can kill a process as easily as it can stop a program from its system menu. I want to be able to run the update feature on-demand, and there’s simply no way to do that sensibly unless the program can be closed.

Windows 10 privacy improvements, sort of

The good news is that Microsoft is improving the state of privacy in Windows 10, albeit slowly, and grudgingly. The bad news is that the improvements are unlikely to satisfy anyone genuinely concerned about what Windows 10 is really doing.

New: Privacy Dashboard

A few days ago, Terry Myerson, Microsoft’s Executive Vice President of the Windows and Devices Group, announced a new web-based Privacy Dashboard, accessible via your Microsoft account. If you don’t have a Microsoft account, you’re out of luck. I’m still using my Microsoft account to log into my test system, because otherwise I’d have to buy a Windows 10 license. You probably already have a Microsoft account even if you don’t use Windows 10, as they are used for XBox Live, Skype, and other Microsoft services as well.

Poking around in the Privacy Dashboard, the Browsing History section is empty for me, presumably because I don’t use Cortana or Edge. The Search History section is also empty for me, because I don’t use Bing search. But if you use Cortana, Edge and Bing, you’d be able to see all that history here, and be able to remove it as well.

The Location section shows where you’ve been when you logged in on Windows 8.1 and 10 computers. Again, you can clear any or all of this. The section for Cortana’s database shows everything Cortana knows about you, based on your interactions. This is where things get interesting for me, because I only used Cortana for a couple of days when I first installed Windows 10. Cortana knows how often I eat at restaurants, and how far I go to get there. It knows my main mode of transportation. It knows what kind of news interests me. It’s not much, but it’s enough to be kind of creepy.

The Privacy Dashboard is a step in the right direction, and it’s very useful for anyone interested in seeing exactly what information Microsoft has collected. It also allows you to clear much of that information. But what if you want to prevent Microsoft from gathering this information in the first place?

Privacy improvements in Windows 10

Also revealed in Myerson’s post are upcoming changes to the privacy settings in Windows 10. The initial privacy setup has changed, and now provides a bit more information about the various privacy levels and settings. Microsoft is “simplifying Diagnostic data levels and further reducing the data collected at the Basic level.” But in fact there will be fewer privacy levels to choose from, and there’s still no real explanation of exactly what data is sent. And of course the most useful ‘Security’ level (which disables almost all telemetry) is only available to Enterprise users. Us regular folks can only throttle data collection down to the ‘Basic’ level.

According to Microsoft, the Basic level “includes data that is vital to the operation of Windows. We use this data to help keep Windows and apps secure, up-to-date, and running properly when you let Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also includes basic error reporting back to Microsoft.” This sounds reasonable, but it’s lacking in detail and — for many users — still sounds like an intrusion.

Luckily, there are alternatives. I recently discovered a Powershell script called Reclaim Windows 10 that can disable all of the telemetry settings in Windows 10. I’ve yet to test the script, but it looks promising.

Advertisements in Windows 10?

Microsoft still insists this isn’t about advertising: “We want you to be informed about and in control of your data, which is why we’re working hard on these settings and controls. And regardless of your data collection choices, we will not use the contents of your email, chat, files, or pictures to target ads to you.” I’d like to believe that, but it seems unlikely. Microsoft is clearly taking aim at Google’s huge lead in online advertising, and the idea of having a captive audience for advertising (in the form of millions of Windows users) is obviously just too tempting to resist.

Microsoft continues to push Windows 10, now at the expense of Windows 7, which it now says “does not meet the requirements of modern systems, nor the security requirements of IT departments.”

Update 2017Jan18: Techdirt weighs in.

Microsoft to abandon EMET slightly later than planned

Starting in 2009, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) provided Windows users with an additional layer of security. It was designed to block specific, known types of vulnerabilities. EMET proved particularly useful for people running older versions of Windows, especially XP.

I’ve been recommending EMET since it was first available, and it’s still a useful addition to any Windows system, but I’ve also been running into an increasing number of EMET-related problems, and finally stopped using it on my main Windows 8.1 computer recently.

Microsoft originally intended to stop supporting the Enhanced Mitigation Experience Toolkit (EMET) in January 2017, but based on customer feedback, EMET’s demise will now take place on July 31, 2018.

In the recent EMET end-of-life announcement, Microsoft admits to EMET’s failings, and points out that much of the protection provided by EMET is now built into Windows 10. Of course, that doesn’t help those of us who are avoiding Windows 10 because of privacy and control issues.

Update 2016Nov22: According to CERT (a division of the Software Engineering Institute at Carnegie Mellon University), Microsoft’s claims for Windows 10 are not entirely accurate. While it’s fair to say that Windows 10 includes the system-wide protections provided by EMET, it does not provide per-application settings. In other words, Windows 10 security can be improved by also running EMET. This makes the retirement of EMET by Microsoft seem rather premature.

Password managers

“If you’re not using a password manager, you should be.” You’ve heard the refrain, and you’re probably tired of hearing it. But we won’t stop saying it until people get the message.

Rule #1 in online security is “Don’t re-use passwords for multiple web sites and services.” Rule #2 is “Use long, complex passwords.” Following those two rules means you have to remember multiple, long, complex passwords. This is not something humans are particularly good at, which is why we need password management software.

I use Password Corral, free Windows software from Cygnus Productions. It’s not limited to storing passwords, so you can use it for bank accounts, license information, and so on. It can generate strong passwords according to customizable rules. It won’t fill in web forms for you, and it can’t be accessed on the cloud, but I don’t actually want either of those features.

I also recommend Bruce Schneier’s Password Safe.

When deciding on a password management solution, there are several factors to consider. There’s a useful comparison of password management tools (PDF) over at the SANS InfoSec Reading Room. It doesn’t include Password Corral or Password Safe, preferring to concentrate on the more mainstream and popular services, but it’s worth reading.

Was your account exposed as part of a breach?

It seems like every few weeks another web site or online service is breached. When that happens, user account information is almost always stolen, and usually published online.

If you have an account on a breached site or service, you may not be in any immediate danger. Often, only email addresses are published. Sometimes account/user names are also published. Occasionally, encrypted passwords are published, and when that happens, the weaker of those passwords are also quickly decrypted. The worst case scenario is where you’ve used a single, weak password for several different web sites or services.

After learning about a breach on a site or service, your first step should be to determine whether you have an account there. If you do, you should sign in and change the account’s password immediately (sometimes this is forced by the site owner in response to a breach). Then, if you’ve used the same account/email + password anywhere else, sign in to those other sites and change those passwords. Then stop using the same password everywhere, and start using a password manager like Password Corral.

If you’re not sure where you’ve used a particular account/user name or email address, you should start by searching for them on the Have I Been Pwned site. ‘Pwn’ is gamer slang for ‘own’, if you were wondering. Enter a username or email address, and the site will search it them in all known lists of breach data.