Backups at home

powered by Fotopedia

I've written before about business backup solutions, but I've had a few questions about backing up at home, and that's a somewhat different animal.  Some of the same principles apply, but the tools are different, and we're not* (most of us) backing up 4 terabytes of data from a server system.  We can use simpler solutions, which is important because if it's not sufficiently simple we just won't do it.  Everything I'm going to recommend here is as automated as possible and requires only absolutely minimal intervention.

Why do you need backups?  Because computers fail, and in particular the hard drive, which holds your data, is one of the most failure-prone components of your computer.  If your hard drive dies, a new one will have your operating system on it, but none of your old data will be available.  All of your old papers, all of your kids' pictures, all of the mp3s you copied legitimately from CDs you own, etc., will have vanished.  Given the ease and lack of expense with modern backup systems, you have no reason not to set something up.

To be fully backed up you are going to need two copies of your data beyond the one on your computer now:

  1. A copy at home, which you can use to do quick restores
  2. A copy somewhere else, which is your last resort against catastrophe or theft

The first one is actually the more complicated component.  You need some sort of external storage; a USB hard drive works well for this.  If you're on a Mac, this is going to be very easy; plug in the drive, launch the Time Machine application, and it should step you through setting up a backup.  Windows is slightly more complicated: Windows 7 and Vista (and later) includes a backup system that's quite good, but not as dead quick to set up as Time Machine.  You still shouldn't have many problems.  Earlier versions of Windows don't have the same technology built in, but there are great products like Macrium Reflect which will work for you on XP.  If you're on a Windows machine that's earlier than XP, you should go upgrade now.  New machines are the cheapest that they've ever been, and places like the Dell Outlet will sell you an inexpensive refurb that will be ten times faster than what you're using.

So, grab an external drive.  If you're using a desktop, just plug it in, set it up, and forget it's there.  If you have a laptop, plug it in and set it up wherever you usually do your computing, then when you take your laptop, disconnect and leave the drive there.  Just plug it in when you're at home. Your backup is meant to protect you against things like losing your laptop; if you're carrying the drive with you, it's no help.

The offsite backup, as promised, is going to be the easy part.  If your vital files are small enough, you can use a free product like Dropbox or Google Drive; you'll need to be under 2-5 GB of storage, and all of your files will need to be in the same location.  These have the added benefit of being able to sync files to many devices, so they can be worth it for some really important documents even if you have to use something else.

A much better and easier, if less completely free, solution is to subscribe to an online backup service and install their application.  CrashPlan is my current favorite here, and Carbonite is another good choice with a more clever name.  I would avoid Mozy, because it's harder to use and is developing a poor reputation.

Some things to avoid:

  • Apple Time Capsules: these marry two great products: Apple's Airports, which are excellent wireless routers, and a network-attached storage device (NAS), which is an excellent way to store your files.  Together, they make a solution that is much worse than the sum of its parts.  This is because you treat storage and routers completely differently.  You know how you have to shut your computer down exactly the right way every time, or it complains at you?  That's because just yanking the plug out is a good way to damage the hard drive and destroy all your data.  Now, how many times have you had to reset your wireless router? If you haven't, you're lucky, but if you have you know that this common procedure requires yanking out the power cable.
  • Just using one of the above options: if you don't have an offsite solution, then your data is gone in the case of an event that damages your machine and your external drive, and because both are in your house that's not an impossibility. If there's a fire or a flood, you may not be immediately worried  about your pictures, songs, or documents, but you'll thank me in the aftermath when you're able to recover that tax document or family picture.  If you're only using off-site backup, you'll miss out on the ability to very rapidly grab an old version of something, or an accidentally deleted file. You'll also be relying on your backup provider not to go belly-up, or to be unavailable when you need it.
  • Backups that require your intervention: some people try to manage their own offsite backups by rotating drives and storing one somewhere else.  You're human, though, and you don't always do all your chores, do you?  You'll eventually forget about it, precisely because you rarely need a backup.
If you set this all up and then forget about it, it won't interfere with your normal process at all.  And one day, you will have a drive failure, theft, or some other disaster occur, and you'll be very happy you put in this minimal time and expense.  I know; I've had drive failures in the past, and had to rebuild my files from the ground up.  This is my job, and I've failed to do the manual backup that I was using at the time.  

* Okay, I mean, I am, but still.

Plug-ins, plugs and passwords

First, a quick plug: I've written a Chrome Extension to solve a problem that I, at least, was encountering.  I have a primary email client (Outlook) that I want to remain my default mailer, but I also want the ability to quickly and easily send from a Gmail account that I'm logged into.  The extension adds a right-click menu option to links that pops open a Gmail compose window instead of opening the usual mail client.  If you use it, let me know what you think.  If there are any other webmail clients that someone needs support for, let me know and I should be able to add those.

So, let's talk about passwords.  First, let me try to guess your password.  Is it "password"?  No?  That's the single most common password, so that's what I'd guess first.  Next would be "1234", "12345" and so on until "12345678".  It's not that?  All right, now I'm going to start guessing your first name, your last name, etc, then different combinations, then I'll probably check the internet for public information about you.

This is going to take me a while.  However, being technically savvy, instead of doing this myself I could just write a computer program to do it.  Even a desktop computer is capable of thousands of words per second; if your password is in the dictionary, or it's a slightly modified dictionary word, then I'll get it in a couple of minutes at most.  If I have access to a more powerful machine, that time will drop to seconds.

And it doesn't need to be in the dictionary.  At ten thousand guesses per second, I can go through every eight-digit number in three hours on just a beefy desktop computer.  With a powerful server, I can go through every eight-letter word in a matter of seconds.

This has been a hot topic of discussion around the technosphere lately.  XKCD addressed the topic, and Steve Gibson Research posted a "password haystacks" application to test prospective passwords for their strength.  Both of these are good resources (yes, even the stick-figure comic), but neither of them address what's arguably the most dangerous thing people do: reusing passwords.

Say you have a relatively strong password, but you use it for almost every web site you log into.  Few web sites allow super long passwords, but maybe it's something like 6eE*jhgf, which is by any measure hard to guess.  Now, imagine that I hack into, say,, and they're not storing their passwords sufficiently securely (because, of course, you have no way of knowing ahead of time if that's the case).  Even with the above password, GRC's password haystacks say a dedicated cracker could break that in minutes if they could take the password database offline, which is exactly what happens when a popular web site is cracked.

After that, your username on that site (and slight variations thereof, like your email address) go into a cracking system, and the hackers can now attempt to use that same combination on every web site. If you've re-used that password, you'd better hope that you can get to all of them before the hackers can.  You'd better hope you remember all of the sites you've logged into.

Realistically, no one can remember a different password for every web site.  However, there are two primary options short of that:

Option 1: create a selection of passwords.

  • Use one, long, strong, totally unique password for your primary email account, because that is how you can reset all of the others in an emergency.  
  • Create another super-strong one for vital accounts like banking and bills--anywhere with information that's potentially dangerous--but remember that because your primary email address is the key to resetting these things, that one's even more important.  Also, use that second password anywhere that you're storing personal information, like your birthday or mother's maiden name, because many sites will allow someone with that information 
  • Use a much simpler password for throwaway sites you are absolutely certain don't have any useable personal information.  Ideally, create several simple passwords for this.
Option 2: use a password manager.  This option is much easier than the above, and provides greater security, provided that you trust the company that runs the password manager.  But that's a big "provided", and you ought to put a lot of research in before picking your password manager.

I use a hybrid of these two.  I keep a unique password for my primary address that is not saved anywhere (in fact, I use two-factor authentication, but that's another discussion).  Then, for all other sites, I use Lastpass, and I keep a strong password on my account with them.  Lastpass has a great reputation, and appears to be doing everything correctly; no one is hack-proof, but the one time there was an intrusion on their servers they immediately disclosed the information and required everyone to reset their login passwords (the data transferred off was too big to contain whole user databases, but better safe than sorry).  Maintaining a separate (strong, long) email password means that in the event of a catastrophic intrusion at Lastpass, I still have a way to authenticate myself and begin resetting my passwords.  Let's hope that doesn't happen.

Other popular managers are 1Password and KeePass, both of which have good reputations for security.  I haven't used them, but have heard good reports about them.  

How do I block ads in my browser?

Image from The Consumerist

No one likes to see ads, and until advertising companies cotton on to the fact that advertising that people enjoy watching works while annoying or sexed-up advertising doesn't, your only real defense is to block them from displaying.  There are a couple of different methods for doing this, depending on your browsing habits.

Of course, this site being ad-supported, I may be shooting myself in the foot here, but frankly if my advertisers want your revenue they should be producing better ads.  I'll add a Paypal donation button before I publish this, and if you like my advice here you can feel free to drop me a couple of dollars to keep the lights on.  Or not, as you will; this isn't my primary business, and I do fairly well on my own.

If you exclusively, or almost exclusively, use one browser, there will be an ad-blocking extension for that browser that should install in seconds and work the vast majority of the time.  Each of the major browsers has their own: Internet Explorer, Firefox, Safari and (my personal primary browser) Chrome.  They're all dead-simple to install, and each works very well right out of the box.  Should you install these, feel free to throw a couple of dollars into the donation box on each site, if available; this is, most likely, their primary business.  I can't speak as to how well they do.

If you use multiple browsers, or use an alternative browser that doesn't already block ads, you have a couple of options.  The first, and easiest, is to install the plugin for each individual browser.  The second, more complicated but more powerful option, is to install Privoxy. Privoxy not only blocks ads, but can also be used to scrub your incoming and outgoing internet connections in a lot of highly configurable ways. Web sites, these days, are less one object and more a collage of pieces from all over the internet.  You'll have locally-stored text, images from some other server, embedded video from Youtube, and ads from some remote location (any one of which could contain a thousand other objects, including malicious code). Privoxy works by passing all web traffic through the local application and selectively denying certain requests; for example, if a web site includes blocked ad content, it allows through all of the requests for the page's own elements--text, images, what-have-you--but blocks those calls to external servers that would send you unwanted things.  You can use it to turn off almost anything, although if you screw it up you can use it to turn off all web access, too.  I highly recommend it to advanced users and those who want to play with having more control, but if you tell me you broke your computer with it I'll charge you to fix it.  That's my primary business.


Should I use antivirus?
Yes.  There are great programs out there that are lightweight and free, so your only investment is the time it takes to install.  You're not only protecting yourself; there's a concept in medical immunization called herd immunity that's also applicable here.  The more people on the internet who are running programs to protect their computers, the less likely it is for any of us to get infected.  You're protecting everyone you email, IM with, or contact on Facebook as well.
 Even on my Mac?
Yes. Mac viruses are rare, but not non-existent, and all of the same reasoning applies.  You have no reason not to do it, and every reason to do so.  It used to be unheard-of for a virus to target Macs, but this had nothing to do with a special immunity of the operating system and everything to do with their market share.  Mac adoption, especially in business environments, has been climbing upward, and that's made attacking them a viable business model.
Okay, so which antivirus should I use?  What's the cost?
If you're a home user, there's no reason you should ever pay for antivirus.  For PCs, Microsoft's own Security Essentials is one of the best virus-fighting tools available, and is even free for very small businesses of up to ten users (beyond which Microsoft wants you to buy their Forefront product).  Apple has yet to step up with their own offering, but Sophos is free for home users and is quite good.

Business users will end up paying for protection, but it shouldn't be terribly expensive.  ESET's NOD32 product is one of the best in its class, and is very inexpensive as well as cross-platform.  If you have an IT provider, go with whatever they're comfortable with and recommend; the differences between the product matter less than understanding the ins and outs of the interface and being able to manage it effectively.
What about Linux or UNIX, smart guy, do I need AV for that?
Almost everything that I said about Macs applies here, but double because you were so smug about it just now.  You're probably--probably--a little more security savvy than the average Windows or Mac user, so your machine is probably locked down a little better.  However, you are by no means immune, and while Linux viruses are rare, antivirus is, again, free and relatively lightweight these days.  ClamAV is popular, easily available, and works well.

How do I fight spam?

Ah, yes, one of the most irritating aspects of today’s online world, spam makes everyone’s day just a little worse.  It’s not something that you can completely avoid, of course, or there’d be no money in it and spammers would stop doing it.  But the cost is small and so spammers don’t need much of a “hit rate” on their clickthroughs and scams to support the business.  It’s not easy to fight off, and there are some sophisticated services dedicated to just that.  If you’re a business looking for a way to clean up your incoming mail, I’ve had good luck with Google’s Postini and would highly recommend it.  If you’re an individual user looking for a cleaner inbox, read on.

It’s not always possible, of course, but the simplest way to fight spam is to avoid giving out your email address.  If a web site asks for it but doesn’t use it to authenticate you, and you don’t completely trust them, give them a fake address like If they do require you to click on a link, but you still don’t trust them, use a free temporary mail service like or and then forget about it.  Only if you trust a service and/or really want to receive ongoing mail from them should you give them your real email address.

Should you need to post your email address online, try to make as difficult to read with machines as possible.  This is getting tougher, as the bots that grab email addresses online are getting more sophisticated; old tricks like “name at server dot com” don’t really work anymore.  The closer you can get to a natural language description, the better.  E.g., write “My address is my first initial and then my last name at Gmail”, and then give your name.   It’ll be at least a couple of years before Skynet can parse that.

There’s an old trick buried in the way that email works that helps at least track where spam is coming from, and it’s in how you enter your email address.  The plus sign (+) signifies to a mail server that it should ignore whatever comes next until it finds an “at” symbol (@), which allows you to lengthen your own email address with whatever you like.  Say your address is “” and you’re donating to a political candidate.  Sign up with the email address “” and mail will come back to you with that extended address at the top.  What’s nice about this is that if that candidate’s campaign sells your email address to someone, or hands it to someone else in the same party, you’ll know because you’ll start getting incoming mail with the extended address from them, as well.  You’ll be able to use mail rules (which we’ll cover another time) to filter or even immediately trash any unwelcome mail.

Almost all email clients and servers include a method of marking mail as “junk” or “spam”.  This doesn’t just throw the message away; it also alerts the system that this is a message that you didn’t want.  This allows your client or your server to use that message to seed its algorithms, and makes it less likely that similar messages will get to you in the future.  It’s how modern spam-fighting systems are built; they’re fed as much spam as possible until they start recognizing the differences between that and wanted mail.  Your mail provider probably also has an address to forward spam to, which serves a similar purpose; contact your provider or your IT department to find out what that is.

You can take that last tip a step further and actually report unsolicited spam to the FTC by forwarding it to the address This allows the US government to track spam patterns and potentially find the senders and charge them with a crime.  Spam is illegal if it violates the provisions of the CAN-SPAM act, or if it involves otherwise illegal activities, like fraud—the infamous “419” scams were always illegal and didn’t need a special law to make them so.

These are just a few quick tips, and of course there are others.  If anyone has their own, feel free to post them in the comments.

Mail for Small Businesses

R2D2 Mailbox
photo by JoshBerglund19, used by permission under Creative Commons

This one comes up occasionally from business owners:

What should I use for email for my small business?

The answer to this depends on the size of your business, and what you need your email to do. Let’s start with a couple of questions:

  • Do you have more than ten employees?
  • Do you need to be able to share calendars and contacts?

If you answered “no” to both of these, then you will probably be able to use a free solution.  Google Apps, for example, is free for small businesses that don’t need the ability to sync information between employees—in fact, it allows shared calendars and contacts provided that you are willing to use the web application and don’t need something like Outlook.

If you have more than ten employees, but you don’t need to share calendars and contacts, then you’ll want to find an IMAP solution from someone.  IMAP is one of the two major standard email protocols, the other being POP.  The reason that IMAP is better than POP is that the former keeps all of your mail stored on your server in addition to your local computer, while the latter deletes mail from the server once you download it. Additionally, IMAP syncs all of your information about read emails and sent items—even if you configure a POP account not to delete messages, none of that extra data is sent.  This means that with POP, you risk losing important information—up to and including all of your email—if your local hard drive dies, or if someone steals your laptop.  With IMAP, all you need to do is to plug your account info into a new device, and all of your email is automatically downloaded, just the way it was when you left it.

IMAP solutions are usually available for around $2/month.  One well-known provider is Rackspace, but you should check with your web hosting service or ISP if you have them to see if they offer any deals.

If you do need to share calendars and contacts, then we have to ask another question:

  • Do you have more than thirty employees?

If you’ve under thirty people who need individual email accounts, then you should look into a hosted Exchange or Exchange-like solution.  Or, if you have more employees, but you are an educational or not-for-profit institution, you should definitely go with one of these, because it will be free to you.  For-profit enterprises can expect to spend around $5/month for these accounts.

Exchange is Microsoft’s email server, and while my friends in the open source community may disagree, along with Microsoft’s Outlook client, Exchange Server is the most feature-rich and easy-to-manage email environment.  Other providers, like Google Apps for Business or for Education, have developed Exchange-like solutions that mimic its functions, and in some cases introduce new functionality.  Compare and contrast Google’s offering with Microsoft’s own Office 365.  If you’d like premium setup and support, App River provides an excellent service.

If you do have more than thirty employees, you may find it more cost-effective to run your own email server, for which I would generally recommend implementing an Exchange Server or Windows Small Business Server (which includes Exchange).  You will want to partner with a local technology consulting firm, if not hire your own IT professional to do the implementation.  You will spend more money up front, but you should save money in the long-term.  However, keep in mind that the break-even point keeps getting higher and higher in terms of the number of mailboxes, and that there are dozens of even large, institutional clients who find hosting their mail more convenient and ultimately cheaper.  You’ll want to do a cost-benefit analysis before making any decisions if you’re in this range.

Should I Install Updates?

System Update
Image courtesy of bovinity
“Should I install those updates that my computer is always bugging me for?”
Yes, absolutely. The reason is that those updates almost always represent a security hole that the software publisher has found in their program, and any of those security holes could mean letting someone access your machine.

People have a sense that, unless they have a lot of money or sensitive corporate information on their computer, “hackers” won’t care about it, but this is false. The people who write malicious software (“malware”) are almost always using a shotgun approach; they are firing wildly into the internet and hoping to hit someone, anyone. Think of it this way: they’re not aiming to get $5 million dollars from one person, they’re looking for $50 from 100,000 people.

Beyond that, even if you don’t have any sensitive information, or any money at all, a malware author can use access to your machine to turn it into a “zombie”, following his or her commands. If they use those 100,000 machines all at once they can suddenly get into much more sophisticated attacks on bigger targets. Your computer might just be a stepping stone to something much more valuable, like, for example, your bank.

I know that those updates are annoying, but they’re vitally important to keeping you and everyone else on the internet secure. Here’s a (non-comprehensive) list of some of the software that I, personally, have seen allow attackers to take over a system:

  • Windows
  • Adobe products, especially Reader
  • Internet Explorer
  • Java
  • Microsoft Office products (Word, Outlook, Excel, etc.)
  • Firefox
  • Dozens of downloadable games
  • And, yes, even Mac OS X

You’re almost certainly running several of these programs, and one of the two operating systems (Windows or Mac OS). If so, then you are running software that has been used to attack computers in the past, and the only two ways to close those holes are to disconnect completely from the internet and never plug even a thumb drive into your computer, or to apply the software updates as they come out.

Office suite roundup

Word Processor
Image used by permission from rahady, via Creative Commons

Just got this one from a friend:
Which office suite should I use for my small business?
This comes up a lot, primarily because everyone is familiar with Microsoft Office but no one wants to pay for it.  And for good reason: it's very expensive, and most of its functions can be replicated with free software.  That said, the basic answer is this:
If you're asking this, you should probably buy Microsoft Office Home & Business.
At least until the next version comes out.  Who knows what Microsoft will call this suite at that point?  This is the basic professional version, which includes the two things that are not well replicated in free office suites: Excel and Outlook.

Excel (as you no doubt know) is Microsoft's spreadsheet program.  There are other perfectly capable spreadsheet-makers, and we'll get into them a bit later, but the problem of using something other than Excel is that it almost always means switching from Excel, which in turn means learning new functions and shortcuts.  The overhead cost of re-training is always less than the up-front cost of a new copy of Office, although it's less than buying new copies of Office forever.  It's worth it to retrain yourself, but it's probably not worth it to retrain an employee who may not be around in two-three years for the next version.

All of that said, if your needs are basic, or you're willing/able to learn something new, there are some other great choices for you.  Or, if your needs are more complex, you may find moving to another suite makes more sense: Office Home & Business will run you around $200 for a retail copy, but if you need database tools or web-publishing software, Office Professional will be closer to $400-500, and it just goes up from there.

As far as installable client-side software goes, LibreOffice is the current open-source standby, and it's very good.  Its Office-compatibility is nearly perfect, although you will occasionally see formatting issues in very complicated documents.  Its spreadsheet program--Calc--will read Excel files and convert between them and it's own format, but the formula names are often different and this is where the retraining overhead comes in.  It's free, though, so there's very little risk to trying it out to see if it will meet your needs.

If you don't mind a slightly more radical solution, Google Docs is an excellent cloud-based suite, and that comes with some drawbacks (no access to documents that you don't have an offline copy of when the internet is down) and some nifty features (online, simultaneous collaboration with anyone with a Gmail or Google Apps account).  This is another option that's freely available, so it's worth giving it a test drive as well. It's not quite as MS Office-compatible as LibreOffice, but it will get you most of the way there.  It's more than sufficient for standard word processing needs.

What do I use?  Well, I use all of these.  I use Microsoft Office professionally, LibreOffice for personal stuff and Google Docs for the collaboration features and to maintain an online copy of certain documents.  If it were just a little better for compatibility, I'd use Docs almost exclusively, but as is I need to maintain better compatibility with what my clients are using, so most of my work is done in MS Office.

Should I buy an iPhone or Android?

The raging battle between Apple's iPhone and Google's Android
Photo used by permission via Creative Commons from Tsahi Levant-Levi

For our inaugural post here, I thought I'd tackle one of the most common questions that I get from friends and clients and clients-that-are-friends-too:
Nick, I need to get a smartphone and/or replace my outdated Blackberry, and I don't know whether I want an Android phone or an iPhone.  Which is better?
There are two answers here, and this is the simple one:
If you are asking this, you probably want an iPhone. 
The reason being that iOS is the most popular unified experience in the smartphone realm.  It gets most of the interesting apps first, it is the easiest to use, and it's what all your friends have.  You'll have a much easier time working out what you want to do, discussing that cool new app that makes grandma look like she's in olden times, and connecting with every piece of software your office uses.

Now, if that answer doesn't satisfy you, things get more complicated.  Android does many things much better than the iPhone, and vice versa.  Android is also more complicated (the industry word is "fragmented", but I think that's unfair); the iPhone is a hardware platform that has an operating system, whereas Android is a software platform that manufacturers build hardware for.  The iPhone is necessarily more unified, while you can get Android phones in a thousand different flavors.

I'm going to give you a set of screening questions.  If you answer yes to one or more of these, you probably want an Android phone (which one we'll cover later):

  • Do you hate iTunes?
  • Do you want a "back" button?
  • Do you want a physical keyboard?
  • Do you want the biggest screen possible?
  • Do you have a lot of mini-USB cables around?
  • Do you want turn-by-turn voice GPS navigation?
  • Do you need to spend less than $199, but want up-to-date hardware?
  • Do you want to be able to use alternate default apps, like Swype or Touchdown?
  • Do you tinker with things, and care about freedom to do whatever you feel like to your phone?

If you've answered "yes" to any of these questions, you might want an Android phone.  If you've answered "yes" to most or all of them, you almost certainly want an Android phone.  If it's just a couple, then here are some followup questions that might push you back the other direction:

  • Do you need super-long battery life?
  • Do you own a lot of Apple products?
  • Do you want the hands-down most attractively designed products?
  • Do you need accessibility options for the vision- or hearing-impaired?
  • Do you want to use your phone as a gaming device (not just play the occasional game)?

If any of these is a dealbreaker for you (especially battery life), then you need an iPhone.  If you answered "yes" to more of these than above, you need an iPhone.  If they're about equal, you probably still want an iPhone, because that's my default recommendation to everyone, despite the fact that I use an Android.

Next time, I'll follow up with some tips on which Android to buy, if you're buying one. Which iPhone is easy: buy the newest if you have the cash, and buy it refurbished if you don't

Couple of questions I know will come up:
What about Windows phones?
Windows Phone is all right.  It's a nice OS with very few apps compared to The Big Two.  If you find one and like it, you'll probably have an enjoyable experience, but I wouldn't recommend one.
What about a Blackberry?
Just, no.  RIM has abandoned shooting themselves in the foot in favor of driving their feet over and over into a wood chipper.  Their technology is terrible, and if your office doesn't provide Blackberries for you, your IT department will hate you for being the exception that makes them install RIM's awful add-on software to redirect your email at your horrible, horrible phone.  Don't.