CG - Watch Out For That Bus! (Personal Disaster Recovery Planning) - David Minch

hello my name is David Minch I'm a cyber security engineer I'm here to talk about personal disaster recovery planning or why you need to watch out for that bus so fortunately you've already made it this far in the week that's good you have a couple more days of DEFCON to get through so maybe this is gonna be more relevant to you depending on what you end up doing it DEFCON so let's get started so what we're gonna cover is why this even matters we're going to talk about what makes up your digital life which is more of the focus of this talk we're gonna see how I messed this up and we're gonna laugh at it because

that's the best way to learn from it and we're gonna build your plan and test it because while we're hoping that everything goes well it's DEFCON it's light you never really know what's gonna happen and you need to be prepared for the worst so where does this talk even gets name from for those not familiar the bus count is something we use in software circles or IT circles or really any industry it's how many people can get hit by a bus before you run to big problems hopefully there's more it's not just you that gets by the bus and then everything's doomed and gloom we want to have our bus count higher than one so that's where this

talk comes from and why you need with what worry worried about the bus now to get into the right mindset for this talk I want you to look at this lovely starry sky with a silhouette or you can close your eyes and hum to yourself a little bit and what you think about who else in this planet is important to you is it yourself that's okay little vain but it's fine is it a spouse a significant other kids parents grandparents are just a good group of friends there's other people we care about that we need to plan for so keeping these people in your mind is really important for this talk because it's really the whole reason

we're here now you have some cards we're going to do some some questions this is in the spirit of besides Las Vegas we want some community participation I didn't want anyone to have to come up on stage or you know raise hands so we're going to use the neon index cards and we'll give you a common easier question so the first question will you die there are three answers to this I want you hope the corresponding color and look around the room because your answer is great for you but you want to see what other people are answering all right I'm really surprised that there's no smart alecks in the room but we have a lot of pink cards I hope we got one

good but the thing is is that this question while it's an easy question is an important question because everyone is going to die that's that's something we all share it's something that is inevitable the question is when and the thing is the further you think you are from from death itself actually it makes it more difficult for two reasons one it means you're probably less prepared for it because it's so far away so disaster strikes you're gonna have more problems and two let's say you live a long healthy life which I certainly hope for all of you but that means in the coming decades as we get more and more digital things are going to become

more complicated and this issues gonna be more relevant than ever so that's a problem all right question two you're able to hold up multiple cards for this one it's what these types of bad things have happened to you so take a look pull up the cards maybe you're not holding up any cards great for you but the point this question is not about what cards you're holding up it's about the cards that everyone else is holding up around you and if you're holding no cars this is even more important because it's really easy in this entire topic and say this won't happen to me but the reality is is that there's people in this room

that's happened to they're good people they're all your friends at 'besides Las Vegas but but stuff happens and we need to be prepared for it so just because you're not holding up a card doesn't mean you're bulletproof and for the rest of this talk you're dead you just you know closing ceremony happens you have another you know maybe you have another drink you're having a really in-depth discussion and you're crossing Las Vegas Boulevard you didn't look both ways and you get hit by a bus you're dead not very good for you now the person you were thinking of when we had that lovely starry sky are they able to keep living their life are they

locked out of your life for or maybe you have prepper area preparations but they're really not gonna work when they need them you need them too and what's important to consider is when you're thinking of those people where do they fall on the spectrum of technological competency if you're lucky you've had fierce discussions about BIM versus Emacs at 4:00 in the morning we're not going to go into which one's better but the reality is is that a lot of people you're talking about is thinking about they're now on the right side of the spectrum and that's okay we still love them maybe less but we still love them so maybe you're dealing with people there in the center that you know they

can use a computer but they really don't know they're not you know attending besides Las Vegas they don't have a full spectrum of technological competency that maybe you do or you have to deal with people there on the left-hand side of the spectrum we're watching the music computer is extremely painful to you and somehow their facebook status is just their Google searches and you just don't really understand how that happens but we have to deal with that so surprise question the people you were thinking of where do they fall in this spectrum so I'm leaving see any green so maybe I'm agreeing over there but most of us aren't dealing with greens we're dealing with the yellows the oranges and the

Pink's so it's important to think about that because it's the further left on this spectrum we get what happens if you're no longer around and this is what the presented with everything they possibly need is on the desktop unencrypted too full guy to take over everything but they don't know what the password is for your computer now the people the right side of the spectrum we're saying okay I would rip out the hard drive and play a drive caddy and I'll just read off all the files or let's have some fun with it we'll just pull the windows hashes and crack them or we'll just swap out the hashes I mean we can we can come up with a million

ways to get into it but that's not really fair because that's the right side of the spectrum if you're dealing with people there in the middle are the less technically competent did the whole thing stops here that's it doesn't matter if you had this computer backed up they all know how to get to that they'll know how get into this computer it's a whole it's a bunch of junk right now so we also have to think about is we've been really focused about you you're so important we're all being really pain and that's okay cuz I directed you to do so but there's actually a flip side of this coin and what happens if you were

walking a little bit slower but now they're dead and the bus hit them instead so are you prepared to be the one that's still alive pick up the pieces for the people that you care about now this has been really grim and this is a whole lot of buses hitting a whole lot of people let's think about the other bad things so natural disasters they're happening more frequently I'm from Maryland there's a cute low town youth for 100 years didn't really have flooding issues no problem now every other year the entire first story gets destroyed by floods and it's just like a thing you have to deal with now I could see its cute town lovely

Main Street half the time underwater you also might deal with illness or dementia this one's really emotionally draining because the people are still there but they're not necessarily still there and so that's really hard to work with you might have theft maybe the government comes for you maybe you're not so clean cut and you did something wrong and now you're in jail that's very unfortunate but just because you're behind bars doesn't mean you should your family should have to struggle maybe you're in the military you do a deployment six months a year or two years with minimal communication you want to make sure your family still is able to live their lives and without you just and not have to

worry about you being gone they're gonna be very sad they don't have to struggle and then you'll have the traditional things that you might think of that trigger trigger a bad scenario like hardware or software failure and those types of things so next question do you currently backup your files there's a variety of answers to this one the pink people the best ones have the automatic off-site backups raw if you have the orange ones you have automatic local backups that's good but there's some problems with that because the thing that makes you need the backups might take out those as well or you're my favorite category the yellow people that say oh I copy everything to like this

flash drive I do it every month but the last time you did was 2015 and you don't know where the flash guy even is so you're just kidding everyone including yourself or you just could be honest and you live on the edge but at least you live in reality and you just don't do backups so hold up those green carts proudly and then have you lost data before the worst is when it's completely Erica irrecoverable and you're pretty upset about it or it's no big deal are you just lucky and awesome so again the car that you're holding up is initially the one that you should be interested in it's seeing what other people are holding up as well as to hold

up this line one more time so we got some pinks they weren't happy all right that's enough for the cards right now so the question is we've established that you might die or other people might die or maybe some plugging occurs and bad things can happen and people have lost data and it can happen to real people like to find people in this room but the real question is can you recover and can the people you're thinking about recover and not only do you have the right controls in place but when you need them the work will pay that's a separate question just because you have something in place doesn't mean it's actually going to work when you want it to now

what really actually made me think about this talk in the first place was less about disaster recovery and more about locking my own self out of all my accounts so I really like the idea of like multi-factor and two-factor and encryption and all the good things that we we have security professionals and security minded people like to add on to our accounts usually above and beyond what the regular normal people are doing and that's great except for I was getting Kristin Lee worried that I was going to lock myself out of everything I cared about and really just had myself to blame and I was also worried about so my special someone that I'm thinking

about for this talk is my wife I'm thinking about okay maybe I have all this great encryption but that's like maybe gonna go so well if she needs to get into it when I'm not around does she know how to decrypt it does she know what the decryption keys are does she even know that I encrypt things in the first place can she find the things I have in the first place these are all issues and while she's a technical user it still is difficult so let's take a step back we've been talking a lot about disaster recovery and bad things happening and all the scary stuff but let's talk about what your digital life is to establish some

of the things you care about so the first thing is your email account and besides the fact that you probably getting a lot of like coupons and spam and your email it actually is really important because it is a common centralized repository for your digital life when my grandparents passed away a few years ago the way my dad found out about things that he just didn't know about was he watched their mailbox so every couple days you check their mail you get the bank statements of account that they've never told you about ever for some money you just didn't know existed and you can take care about take care of that take care of bills and all

those sorts of things but I don't get bills in the mail anymore my things come to my email and so your email account is important as a centralization of your digital life you also have things like your social media accounts depending on how social you are and what actually happens in the disaster this may or may not be that important but it is useful let's say you truly are hit by a bus and you are no longer around it is nice for your family to put those accounts to bed now Bitcoin now this this really isn't Bitcoin cryptocurrency well it's very buzzy right now and everyone that's made a ton of money I'm sure but the point of

Bitcoin for this talk member take cryptocurrency it's not about the here and now 2018 cryptocurrency it's the fact that cryptocurrency is really inherently purely digital asset and in 2018 maybe it's the only great example we can think of I think in 2020 2030 2050 and Beyond we're gonna start seeing more and more purely digital innovations that just don't have an analogue that we can just go to a brick-and-mortar store and be like yes here's the death certificate give me the cryptocurrency private keys just really don't care about that certificate you have to have the right resources to get into it and so that's what cryptocurrency in this context means you also have your house which right now is probably not that

digital maybe give a smart lock or something like that but this is also a future of thinking every time you add a new digital device how is that fact what happens if you're gone at some point in 2030 are we going up houses that you're no longer around aren't usable and you can get into those accounts and then you come to the more traditional things when we think about bad things happening and doing backups is photos and your files photos and videos are particularly irrecoverable because it's just a memory so if it's gone it's gone you can't recreate those happy memories but there are also important things like your documents that you may have put a lot of

time into maybe do a lot business stuff at home these are all things we want protect and then you have a cell phone well really a lot of times your cell phone doesn't have anything that unique that can't be replaced it's in the cloud everything synchronized that's great but your cell phone is actually interesting because it's the extension of your digital identity namely your cell phone number and this has been particularly relevant in the past like two weeks because of SMS from our two-factor and number porting and all these attacks on your phone number because people are realizing oh well I can just steal your phone number for a little bit and I actually assumed part of your digital

identity so let's say you crossing the street you get hit by that nasty bus and you were texting who we weren't supposed to do that and your phone's crushed too well maybe now when you think about recovery gaining access to your your digital identity of your phone number is actually a part of the recovery process and so that's something to think about as well and it's part of your digital life so I'm thinking about my digital life and what I value I'm thinking about all the security controls I've put on my accounts and thinking about my wife and I wanna make sure the cheese cover in the case that I get hit by a bus and so

really all I have to do is I'm gonna create my own disaster recovery plan I'm gonna test it so well I was thinking more about making sure I was doing a good job document documenting everything but I thought the harder part would be just making sure of my wife was able to follow everything I had done the reality is is that my plan actually didn't work in the first place and that was really surprising to me because I was worried about security controls my still thought like some stuff would work I thought all my backups automated off-site backups would be good enough and it didn't work out so what happened so for me I have been

corrupted file vault it's just additional security control so that way my files just aren't all over my dear there is a centralized extra layer of encryption awesome so if I can get that file vault starting from scratch then I know I'm good so how do we get to thank her to file Paul so for me I have to access my password manager I use one password we then need to access my off-site on my cloud backups I'm using back please and then because I don't trust back plays as much as I could I use private key escrow and so they don't have the keys to decrypt the backups I have them and so once I decrypt that I can get all

my files hooray everything's done and I now have my disaster plan has worked hurrah except for that's not what happened where would I keep my important encryption keys they would be in my encrypted file vault because that's where I keep the important stuff hooray so all my files are gone for forever every picture I've ever taken is gone and I am stuck that's not very good yes sir

so that is a possibility except for my house burned down my approves say well so it depends it depends on on how much you are willing to invest in a fireproof safe the cheap ones in Amazon if you really have a fire it's not gonna work out too well and maybe a physical document will work but if you have a drive inside the safe if any smoke gets in drives ruined and then you're back to doing forensics on a drive so it depends on your risk model it depends on what you're trying to prevent against and this is why I struggled with is it's one thing if if I just get hit by a bus and that's the

only thing we're considering then that's a different model but if you really want to take into account fire and all the other things we listed it gets more and more difficult to truly do just on-site model yeah no this was me testing my plan so so fortunately looking I can laugh this haha my test completely failed but fortunately I didn't actually need it it wasn't I have a bad day yet but that's why we're talking about this now is because hopefully we haven't had a bad day yet and we can be more prepared for when that comes so that was one way my plan failed so I fixed that problem and and and manipulated so that

wasn't a circular dependency anymore but I made another change a few weeks later I switched from last password to one password you might say well they're just password managers okay sure you change change vendors well the thing is is that with LastPass the default security model is that you have a username and master password that's how you get into your LastPass you can do multi-factor which I hadn't done because I was worried about locking myself out in cases the multi-factor it goes bad and we'll talk about that later but let's say we just have username and master password so when you switch the LastPass it's a different security model you need to use a name you need your master password but

the first time you log into a device you actually need additional secret key it's a long random key and it's it's a good part of the security model because if you're on new device like it's a little riskier let's prove that it's really you but where would I store the security keys they for me that's in minecraft file vault so now I came here to my pasture manager so I can't even lock login to my cloud backups and so I surely don't have to worry about decrypting them because I can't even get to them in the first place and all my files are lost for forever and so for me this is very upsetting because the thing is is that if you say

if I was one of the people that said oh I don't do backups and then something bad happened I went I lost everything you go well yeah dummy you weren't doing backups if I was doing backups and I was doing things like a pasture manager and it still wasn't enough and this is why I wanted to share that my Maya misfortune fortunately not that misfortune because it was just a test I want to share that because I think other people especially people who had attending conferences like this are more likely to put themselves in a bind with extra security controls and not realize it because I wrote my whole plan and didn't realize it was gonna fail until I actually tried

it so for me a circular dependency was my problem that's what broke my backup plan but I'm worried about other things so multi-factor and this is where it's really tricky because I don't I don't want too much fear about multi-factor buy once I want to talk about the risks it has and how we need to compensate for it so if you're using SMS to factor which right now is all the rage to be like that's terrible so we're probably gonna see things shift away from that maybe faster than we were expecting you need to have your cell phone maybe you have an application doing a software token if your cell phone is no longer around

what's backup for it if you have backup codes then that helps get around if your multi-factor is not working well where do I keep my backup codes encrypted file vault so that doesn't help me so I need to think about that and then you have your Hardware tokens well the hardware tokens are great and they have the best security that you can get multi-factor now and I love that and for work I use them all the time great but the problem is is that we're not talking about work we're talking about you and with multi-factor tokens what happens if your primary one gets melted in the fire where's your secondary one okay you have a secondary one is it off-site we

it kept off-site do people know where the off-site location is so you run into all the same problems that you're dealing with backups is now something you have to deal with your multi-factor now when I was thinking about this I was like okay let me see if there's an answer to this and so I searched the vendor websites for what like okay what what's your backup plan with your disaster recovery and they say okay issue two tokens for your users just to be like really safe you wrap your primary and you're gonna have your backup but remember the worst case is I just have to call to help desk I am my helpdesk if I get hit by a bus the

entire helpdesk is dead so that's not very useful and so it's something to think about when you think but multi-factor is that a lot of times it's being pushed thinking enterprise and thinking about helpdesk and yet to think about how it works for you and making sure you're covered and making sure that you have your primary and your backup and your backup works with all your accounts and you always can use it and it always works so something to think about as we get we seen that adopted more and more places you also have backup failure this is where you're doing backups but they really weren't backing up what you thought maybe it wasn't including all

the directories you thought about maybe the backup hasn't run for six months and you didn't notice that you can find stories of people that had personal backup software online they go they go recover it and their archives been corrupted for six months and no one told them so that's not very good the backup didn't work so that's something that we want to test for to make sure the backups actually work and then we have existence failure and this is really one of the harder parts of everything because what this is talking about is if you have backups and they're on Mac and they're off-site and they're awesome and you can always get into them and the

person you care about has no idea they're even there then they're worthless if they don't know what provide you're using they're worthless and if they don't know the username and password then they're worthless and they don't know how to use the software then the backups are worthless yes the backups are worthless not the person you're thinking about sorry so but this is difficult because again we're not thinking just about ourselves it'd be great if we always could do that but we're thinking about what can other people in our lives do if we're no longer around and then there's just inaction failure which is if you don't have a plan then trying to use the plan it's not going to work

so how do we build a plan so first we're gonna start off simple right the plan for you and so what this means is you still want to document things you want to start writing down your plan so you make sure you have good coverage all the things that matter to you but the nice part is is that when you run through and test it you get to be the one it's in your mindset so you know you best and you know what software you're using and what all your habits are so this is relatively easy but when you're testing it it's still good to make sure you're not thinking of things in your head that

if you need some special password or need to know where to go to it's on your plan and Emilee make it a little bit harder we have to write the plan for someone else so now you can't just say oh here's a passage of my encrypted file volume and that's all you need for someone else you say I'm using this type of software let's say you're using veracrypt and it's a it's my Drive decryption software and here's the password okay a little bit more detail but then we go back to the problem of the spectrum of technological competency and realize that maybe the person you're thinking about struggles to use technology and so you need to write a

plan for some of this less technical venue and this is harder because now you have to say all right I use veracrypt download from this site once you go your downloads folder press install yes yes accept yes install okay you've installed it now here's what this encryption software is here's a mountain volume and four-page layer you're ready to get them started and actually doing anything because they've never used anything like this so this is more difficult now we do have ways to make it for the servo cover later but it is important to think about but there's more the very beginning we talked about this you want to think about the plan for someone else what

happens if they're gone and you're the one picking up the pieces if you're lucky your plan in their plan can be the same if you're married tada that's a lot easier but maybe you're that's not to your situation and so you have to think about are you prepared to pick up the pieces and this is more difficult because really at any time you can decide yes I want like this sounds great I'm going to start doing the planning I put the thought into it and execute it but it's hard to convince someone else that it's worth it to so what's in a plan this is not vary based on how old you are if you're married you have kids are your

retirement are you far away from retirement it's gonna change what you're thinking about but this is a loose framework of things that you can put in your plan so passwords what's really nice about passwords is that now the security recommendation has been pushing password managers we can't remember with lots of passwords I have 340 accounts in my password manager so I always laugh when I see some article talking about like now I can remember ten good passwords I'm like that that's never close at the zero and triple it and that's why I deal with so fortunately from a security perspective we can get a boost by using password managers but we also get a disaster

recovery boost because now we've consolidated it is one of the risks of password managers but at the same time we've consolidated all this access into a place that we can delegate if we need to so rather than your plan having to have 440 passwords that you have to remember and write down and test make sure they even work instead you just give access to your password manager and you're good now the problem I have for power managers there's more out there these four I have used I switch recently from last class to one password I'm very happy with one password but remember the security model change and so it's very important whenever you change this to

rethink your disaster recovery plan and it's also important to think about the security model and the test with whatever model you're using yep

hmm that's a good question so that is one of the things you wanna think about is continuity of bills and that's the thing if you take it locked out if people know that you have one password and maybe it locks you out I was I'll personally I'd not run the situation but I would assume that they would say well if you pay your bill then we'll let you back in and that sort of solves that problem but it is something to think about because especially if you are using a cloud service provider as opposed to just hosting yourself like I can possibly help with that solution one password offers two options happens offers the cloud solution and the local

solution the local solution the benefit of is it never goes to the cloud but also allows you to synchronize with your devices over a local Wi-Fi so therefore you both have access to not having that issue in which you have to pay them because it's a one-time cost and it allows you to synchronize with multiple wireless or portable devices no it's consistent it's still there that that hasn't changed that model continues to be available too and I've been using it for many years and it continues yeah so there are multiple allows with one password if you want a purely offline model KeePass as well a lot people use for that you can synchronize that in Dropbox you can do

so those types of things but it is important to think about if you're taking more of that you know technical debt essentially in the management well yes it's nice not this like trusted cloud service provider but then you're okay what happens if you're like now you have to worry about your Dropbox you have to worry about that being a critical asset for them to get in your past marriage and all those such things so it is an issue so we also one thing about backups this is something that we've talked about already but we will make sure they're on Mac and they're off site you get bonus points if you're doing that locally and that will

likely be faster in a lot of failure scenarios if you just lost some files it's a lot faster copy locally then download from someone else's cloud but at the same time that local Drive that maybe it's a second Drive in your desktop when your desktop dies or is stolen or is you know melted or floods the same things gonna happen to that Drive so there's a variety of providers back plays is why I use there's also spider Carbonite if you were a crash planned personal user they have since retired their plan don't let them closing that down prevent you from having the backup make sure you take the time to switch you mean what

for the personal to business okay yeah so maybe you have the business option it's just a not tailored to personal use as much but really the point is is that make sure you have one pop synchronization file synchronization services like Dropbox Box onedrive those can count but really only if you're honest with yourself if you don't have everything synchronize or it does have enough space you have to pick and choose your files that's not really good enough they're not really meant for for all Mac backup so while you can kind of clutch it and make it work is good just accept that you nee a pack provider what's nice is that they've made this commodity back

places five dollars a device a month that's a price I'm willing to pay to just not deal with the problem I could make some Amazon ec2 instance and do some arcing stuff like I used to do when I have a lot more free time but at the same time if that stops running I might not notice for three weeks and that could be a problem you also want to put your financials in the plan what's nice about this is that this is relatively simple because this is helping solve existence problem all you need to do is just write down all these plans and that will be very useful to someone else just to know that they

exist so your bank accounts checking savings your investment accounts any retirement accounts cryptocurrency that's where you're gonna need more detail because of the complexity and the fact that it's purely digital and then anything you have like bills credit cards or reduce all those sorts of things but really this is not going to take you very long it's a table that says what the account is who it's with maybe the point of contact is if you if you're used to dealing with someone or if you have a brick-and-mortar place you go to where that is those are the types of things that take you 60 seconds and save someone weeks of struggle when you're no longer around you also have to deal with

credit bureaus in the government if you're in the u.s. we have a lovely credit system the big ones are Equifax TransUnion and Experian but you also have the fourth one that most people don't know about call the novus if you freeze your credit like you should and as a September 1st is free to freeze and unfreeze your credit with the big four yeah the Senate passed that so that's actually that's really nice but you also have Nick tui mm-hmm yes they do a good thing so now it's free it's a it's a really good recommendation to stop identity theft my social security and all my personal information is out like it's been leaked every day of the week so I just assumed

that everyone has it that you can google for it so I lock my my identity down I locked down my wife and my family is down but if I'm no longer around they need a way to actually unfreeze that in to manage their credit again otherwise they're gonna have difficulty with their finances if you haven't heard Nick Chui that's a more recent public tasting one it's through the telecommunications provider Brian Krebs reported on it more recently that's something else you could be freezing but then also to worry about making sure you thought from the government side you have Social Security Administration and even if you're far away from the retirement it's actually generally good practice again Brian

Krebs is reporting for Social Security to create a social security account so that's it that way identity theft identity thief can steal your identity with the government or with IRS so these are things we might do we will make sure that if we're no longer around that we can pass off this to the people we care about and for taxes you also might just have your tax filings and you will make it a little bit easier when when April comes around so it's things to think about maybe you didn't keep getting hit by the bus hard enough and so you will use your insurance I would be great this might be as simple as just looking your

wallet but this depend on the scenario that might not be accessible it takes 10 seconds write down what your health insurance is because we need to make sure that you don't get like ten million dollars in hotel or hotel bills and hospital bills it's not that nice to make sure that your house is taken care of or maybe the bus was going just fast enough and you need the life insurance policy if it's something through your employer this might be easier for you to find out about for your family find out about but if you have separate policies it might be something you need to document so people know that yes sorry two things one you also have to think about a will

or trust and two you don't want to have only a life insurance policy through your employer because if you get hit hard enough by the bus that you're in the hospital and the employer releases you and then you die you don't have life insurance anymore yep and we'll get to the will part in a little bit but right so so regardless of what policies you do have it's important for disaster recovery purposes to know what plan what's in what you do have in the first place and then we have a catch-all for your home and your home information technology so as we circus Mart things and we start having more complex networks if you're like me I

have a really complex network for absolutely no good reason I have like five e LANs and just it's ridiculous but I'm my own NOC and so if I go down then the network might start going down and so there's those are things I have to play my plan but really this is a catch-all for how do you keep your house running maybe in 2018 it's as simple as like pay the water bill and that's about it but in 2030 how do you keep your house running and what's gonna look like in 2050 and so as we start adding these things in your plan needs to change accordingly and then we're going to talk about dental technology and security so

maybe you're doing something that's different than what an hour's person would expect maybe you are using the multi-factor well that's great what can it can the other people in your life use the multi-factor get into your accounts so if you maybe you have a primary a backup key great but where it's a backup key how do they use it how do they use it to get into your life and so that's more difficult now something that I put in my plan that I found extremely useful is to have points of contact and this is how you simplify a lot of the really hard technical problems so where rather than write a 5-page essay to my wife or to my

parents about cryptocurrency and what private keys are and what exchanges are and just talk at nauseam about blockchain instead I can cut that all short and say I have cryptocurrency here's the bare mem details you need and here's my buddy Tyler my buddy Tyler he knows everything you could possibly need about it and I trust him and he will help you so I'm a bad day you call my buddy Tyler and instead of having to write five pages I wrote one sentence I actually have a lot more assurance that anything will actually go right because he can just figure it out he'll just know because that's my buddy Tyler whereas my parents would even with good

instructions would not get into my cryptocurrency so that's how I saw that problem and so this is something as you talk about as you think about your plan I would also encourage you to reach out find points of contacts for yourself but also think about who you could be a point of contact for so a bad day people in your life don't count on you to help them out alright so bonus so we're getting really grim we're talking about all your digital life and everything is falling apart and everything is very sad so what else can we think about well a lot of these disasters are not exclusive to your digital life are to your laptop

or your desktop they really involve your physical life too and so if there's floods our hurricanes or other things you might be dealing with you should also think about physical kit now I'm not an expert on this I'm not saying me be a prepper if you want to build a bunker and your backyard that's awesome you don't need to do that but you should also think about okay what do I want to take with me backup batteries those are really awesome for just having more cell cell service than anyone else but then first aid water non-perishable food those types of things you can go escalate into how much you want to have I think Costco will sell you 365 days

supply of canned goods it's like $1,000 it's a great great deal for you 1,000 a 365 days of cans but you're nestling it now think about analog will so not to do away there's a couple components of it depends on your life you can start think about things like a trust and add more complexity but it really comes down to who's not carry out the will who gets your stuff how is your stuff split up and if you have kids who's gonna be the guardians for it so this is something I'm certainly not an attorney or an expert on but something that you can be thinking about if you're thinking about all of your digital life you can take a

few steps to think about the physical you know runaway kit or your analog will as well so we've talked about the plan and why you want to plan and watch it go into plan how your plans could be awesome but there's some complexities being address and unfortunately this has actually been the hardest part for me so update your plan okay when do we update it well when you wear your plan that counts as update points for you and then every 12 months six months is a good interval but really the answer is that you should update whenever anything changes so if you change providers and something's changing in your life new accounts removing accounts they're such

the things it warns to update your plan and whenever you change that plan you should test it because like myself it was until testing that I found out my problems and the small changes oh I changed my password provider not a big deal caused me problems and so only testing it will show that now how do you test it so for the more technical side the easiest way tests it essentially just spam a Linux live CD you can either do this with actual computer or you can do it even easier with VirtualBox VM where some sort of virtualization software if you start up a Linux live CD haha you have a brand-new computer if you can get

into what you care about and that links live CD then you're good you have to use a plan you can't use it from memory because that's cheating you have to use the plan but if you can get the things then you're good in my case I use my plan and that wasn't good enough my plan failed I had to go outside my Linux live CD my virtual instance of it to actually run my plan to ground and so that wasn't good enough and so that let me iterate and figure out okay how do why I just did how I make my plan better how I make it better for myself so that actually works and I tested again and actually

now it works cool but you also want think about testing your plan with people you're thinking about because it's really easy for us to overlook things and the just use something that's in your head that you don't realize is actually important detail so it's good to run it through with the people you're thinking about in the first place because one they'll tell you when you've overlooked something and two it gives them a lot better chance that they'll succeed because well I've seen it before if they ever need it and that comes to storing the plan so what I've just asked you to do is I want you to write down all the important details to take over your entire digital life so

that someone else can do it when you're not around and then put that somewhere and that's a really hard problem in my case I've accepted the risk and the way I do it is I have two physical copies so I my digital copy is just the framework I felt the important details I print two copies I have one and a fire safe but I don't think that's good enough because when I'm in my house just completely burns down and now it's just ash and I have one at my parents house okay so why can I do that two reasons one my parents are far enough away that the same disaster is probably not gonna hit both

of us at the exact same time but they're close enough that I actually have to have a chance of updating it regularly now I'm thinking about playing to do so and to because I trust my parents did not use the plan against me not everyone has the luxury of those two assumptions so this is just something that works for me and it's not something that works for everyone I thought about safety deposit boxes but that doesn't always work because safety deposit boxes that's something that Bank is controlling you have access to it you can have other people have access to it that might help if you're let's say you're thinking about a spouse you can

just make sure they have access to it that's good enough for them but let's think if you're thinking about someone further away maybe you don't want them to have access all the time and then that means if you die okay it's gonna fall back to your traditional will or to beneficiaries and there's gonna be a time that passes before they can get another safety deposit box and so that's not necessarily gonna be the fastest thing that you might want for your digital digital will essentially there's other things to think about like a Deadman switch the problem is with that is how do you give them your plan and make sure that this is not it's not some

digital service do this and all your secrets over to how did they actually distribute that in some sort of encrypted form that people can get to without a lot of a priority building encryption and all those sorts of things so that's not necessary so this takes some finesse it depends on where you live depends on other people you have access to if you have ability a story that's a good fire safe and something like that that might be acceptable to you but something to think about if you just went to all this effort of building this disaster recovery plan and testing it make sure that the plan itself is accessible and make sure the people that you care about

know about it because the existence problem applies not only to the backups and all the things that are in the plan the existence problem applies to the plan itself so don't spend all this time and then have it be completely forgotten about so for some people when I was doing trial runs they were like wow this is just like insanely overwhelming I have no idea what to do a thing of this and so my message to the people thinking that or is just try something you don't have to go home or do this tonight and have a full plan that's tested by tomorrow morning that'd be awesome if you did but you don't need to do that if

one person in this room does anything at all to get slightly better posture to deal with any sort of disaster I can say that win so just try and do something start on the path if you don't use a past manager and not doing any sort of backups then just start towards that fix that problem and then think about the bigger problem of all the existence problems and storing it and all those things so at least get started so you can handle some sorts of disaster so summarize off-site backups they're automatic a pastured manager to consolidate and just have good security practice documenting it so anyone else can actually follow it and actually doing any of this is pretty important

too and then when you've done that you need to test it to make sure it actually works because the reason we're doing all this is because we were thinking of someone at the beginning we were asking ourselves and someone else we care about and that's the motivation we need to do this so that's all I have happy to take more questions I'll stick around a little bit afterwards if you have some [Applause]

sure why did you switch from LastPass what was it about LastPass that made you want to change so for me it was less about the security or the backup or redundancy or anything like that I just found LastPass was a little bit more difficult to use intuitively and they were really was just like quirkiness we're just 95% of the time it worked right and then other 5% of time it just didn't sink or something didn't end up the way I liked it so I tried one password I was basically draw basis and like that and what I also really liked about one password is they published a very thorough security model and you know with with any password manager you have

the struggle of well how good are they actually doing unless you audit their entire binaries because most of them are closed source how do I know that they're not just you know filing everything off but I like their security model it shows that they're thinking about in a thorough way the thing about the attack surface they're not just going completely overkill and every security problem need to think of but they're doing they're doing what they can that's reasonable so I found that it was a good balance between security and utility that's why I liked it [Music]

[Music] all right right

[Music] so you briefly mention the use of safety deposit boxes as a place to store your digital life in a sense so and you said that say you didn't think they were generally a the most optimal idea because of the potential lag between when you when somebody who needs to get in that you have previously told the bank to allow access to to have access to but could you not tell the bank to have could you not tell the bank to give the executor of your will access like when you sign up for the when you sign up for your safety deposit box and then you know when you're dead and they're coming in to clean up your life they can

just get into it that way so you potentially could it's more likely like that you're gonna have a death certificate along with the will and that's gonna be how you can go around and go to banks and do this and the experience with my grandparents you can go to some banks Bank of America and the paperwork is just different every time you go in and so it takes some time to just get it right so it's not always straightforward there's there's going to be a time delay eventually it might work out it's just how much time are you willing to accept let's say in your case you you were talking about the bills and the cloud

payment and all that sort of thing ones if for 14 days you can't get into any of that is that acceptable to you so you could do a safety deposit box in addition to other things to help mitigate that risk and just kind of have options but at this point I don't want to rely on that it also requires money they could if you if there's certain the people you're thinking about you're willing to give them access to it basically all the time so like for me if I set it up and just let my wife have the access that's acceptable to me but ones if my wife and I are driving along and we're both killed in a car crash

it's this entire topic depends on how what you're paranoid and risk level and those are the same thing depend on how realistic you are it depends on what your level is so I'm not assuming that myself and my wife and my parents and my brother like I'm not something they're all going to get hit in the same car crash but at the same time my wife and I spend a lot of time together we travel together and so maybe the risk of us actually both not being available is is higher than willing to accept yeah for YouTube [Music] first of all thanks for laying out some of these things that you went through I haven't done the plan you know you

motivated me to look at that my general statement is based upon a little bit like when it came to my my dad passed away for every account that there is joint ownership of we could get all the money out fast but my mother accidentally leaked to one bank that my father had died and they were like okay we're shutting off access nobody can get to it until probate so there's a certain amount of if you don't say you can close stuff down in your life is a whole lot easier than if you say the second thing is is I've also gone through the statement of limiting how much was my digital life versus my analog life so there's a number of bank

accounts where I purposely said no send me a paper statement I don't have login access to it because the vulnerability my threat model says I'm more likely to have Google locked me out of my account than anything else and so therefore don't have all these things going becoming digital make them all analog so that'll be my suggestion to say before you say everything you have to protect is think about what you can simplify sure yep you can actually you can always try and simplify things keep some analog traces those are useful the thing that pop jumps to mine is then a registration attack which just totally depends on the bank that you have because what if to

make a new account are to register your online account this requires the last four of your social and yours billing zip code which everyone knows about me because you can just like google it probably so it depends on whether you're willing to accept that that sort comes back to the social security account where you might not make that account because you need it right now but you make that account because you don't want someone else to create it so I kind of struggle with the if you stay away from digital then someone else might move you digital whether you like it or not but I think it's a good general good concept to keep in mind about what can you still

keep physical easier in yourself okay that's the end of my time so I hope you have a good closing ceremony stay safe watch out for those buses and the cabs will take you out so watch out too [Applause]