I came across an interesting blog post the other day that caught my attention.  The post contained a good, concrete example of an important security principle called, “Security through Obscurity”.  The example presented a case of Security through Obscurity that was used in code, which we’ll discuss shortly but first we need to explain what  exactly is STO (Security through Obscurity).  Here is a quote from Wikipedia on STO:

“In cryptography and computer security, Security through Obscurity (sometimes, Security by Obscurity) is a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security.  A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.”

In other words, STO is the attempt to strengthen security by adding in design complexity or making certain aspects of the system secret.  Here’s an example.  It is common practice for web-masters to modify the banner strings of their HTTP server.  The  banner tells the client which flavor and version of the Webserver that is running.  The Webserver flavor may be Apache, Lighttpd, or IIS, for example.  This information can be useful to an attacker and, therefore, it is recommended for banners to be silenced or even display incorrect information.  Now let’s take a look at this practice  of changing your banner on your Webserver. Does this make it less likely to be attacked?  Some folk might say yes, though everyone would agree that it doesn’t actually secure your Webserver in any way.  Perhaps an attacker is looking for a particularly vulnerable site and passes by yours since he can’t verify which Webserver and version you are running.  This is STO.  You obscured certain details of your system in an attempt to add in security; this is Security by Obscurity.

OK, now to the coding example I stumbled upon over at the iPhone Development blog.  Here is a snippet of code in the Objective-C programming language (the language used to create MAC and iPhone applications).

NSString *credentials = @"user:password";

In the line above the author defines an NSString Object called credentials that contains a user-name and password necessary for authentication at some other point in the program.  Now, once the program is compiled and ready to be deployed, the user-name/password text can be found fairly easily in the binary.  Here is how the author obscures this line of code:

NSString *credentials = [NSString stringWithFormat:@”%c%s%@%c%c%s%@”, ‘u’, “ser:”, @”pas”, ’s’, ‘w’, “ord”, @”@”];

In the above line,  the credentials NString has now obfuscated the user/password, which makes the user-name/password harder to find in the binary but not impossible.   A tenacious hacker with a lot of time on their hands  will figure it out eventually.  STO isn’t “real” security, but, depending upon your security requirements, STO might be all that is needed.  It certainly should not be confused with true information security.

I’m rewriting this post that I actually started writing a few weeks back about a data backup plan and how essential it is to backup your data.  Soon after I first started this post, towards the end of February I turned on our Mac one day and heard a loud clicking sound, and I thought that really doesn’t sound good!  It wasn’t good, our MAC couldn’t find it’s hard-drive and as a result couldn’t boot up.  Yup, we had a hard-drive failure.  I think some people actually have to experience a  hard-drive failure to start taking backup very seriously. Lucky for us we had a solution in place and were able to recover all our data.  This time it was Time Machine that saved us from sending our hard-drive to a data recovery center where people in white coats in a lab will try and retrieve your data for a mere 2,000+ dollars!!

How many of us actually backup our systems regularly?  Today, more than ever, in our ever-expanding digital world, having a proper backup solution is absolutely imperative!   We all have files we can’t afford to lose.  I was browsing through my vast library of photos I’ve taken over the years of the family, viewing precious pictures that cannot be replaced.  My wife, a freelance graphic designer, has a vast collection of files that she’s created throughout the years and files she’s been working on recently for various projects.  We also have financial data, music that we ripped and don’t have the CD’s, videos of our kids and other assorted types of files.  Apple recognized the need for a backup solution built into the OS and introduced Time Machine in OS X Leopard.  I upgraded our Mac to Leopard back in November of 2007 and have  been using Time Machine ever since.  Time Machine is an incredible solution for Mac users, and be ashamed if you’re running a Mac without Time Machine.  All you have to do is get an external hard drive, plug it in and Time Machine will ask you if you want to use this external drive as a Time Machine backup.  Click yes and your entire system starts backing up behind the scenes.  Apple made Time machine very easy to setup so it becomes a set-and-forget solution.  What’s really cool about Time Machine is that you can actually go back in time and retrieve previous versions of a file you were working on, or if you look in your documents folder and don’t see a file, you fire up Time Machine and view your documents folder back in time.  Then you will find the file that you accidentally deleted, click on it and put it back in your documents folder!  Check out the screen shot below:

A Time Machine backup  or a similar Windows type of external hard drive backup solution is just not enough.  We need the second part of the two-part solution.  Unfortunately, our PC’s are vulnerable to theft, natural disasters, floods and on and on, Heaven forbid.   That’s why a  good backup plan should also include off-site storage.  That’s where Jungle Disk comes in.  Amazon S3 (Simple Storage Service) is a service offered by Amazon.  It is also called “In The Cloud” storage, the “cloud” being out on the internet so the infrastructure is “cloud-like”.  Services such as these are becoming more and more popular.  Amazon S3 service is used primarily by businesses since it’s really wholesale storage and doesn’t offer any direct solutions for the home user.  Jungle disk is a nice program that you can download for just $20 and utilizes the Amazon S3 storage service.  You will need an Amazon S3 account where you provide a credit card so they can bill you monthly for the storage you use.  I’m using approximately 10 gigs of storage and I pay only $2 per month.  Pricing details can be found here. I use Jungle Disk as a worst-case-scenario, since you pay for the space, you may not want to put your entire hard-drive in the cloud. You can configure Jungle Disk to backup only certain folders and you can also include or exclude certain types of files. Let’s say your backing up a folder with mostly pictures you might want to just backup *.jpg files or exclude *.mov files. You can also schedule backups so they happen automatically say daily or weekly, whatever your needs require and what you feel comfortable with. For now, I chose a weekly backup of all our family’s pictures and all of my wife’s files, which total roughly 10 gigs.

When you run the Jungle Disk backup for the first time it will take a while, depending on your upload speeds, but subsequent backups will only upload files that you’ve changed or added. Some people will ask, how can I trust Amazon S3 with my files. The answer is you don’t have to trust anyone. Jungle Disk gives you the option to encrypt your data locally (on your PC) prior to uploading your files so that anything stored on Amazon S3 is “gobbely-gook” to anyone without your pass code.

When you purchace a Jungle Disk license you can run the software on all the computers in your home. Our Mac and Vista laptop have Jungle Disk running. Now that I’ve shared my backup plan that saved our bacon, I would love to hear others share what their backup plans are.