Better 2FA on PayPal

I recently setup Two Factor Authentication on PayPal. It’s super annoying. Whenever I want to login I need to receive an SMS (which takes a few seconds at least to arrive) and type the code into the site. I need to get that SMS on my UK sim, which means I need to always have that SIM live and on me to login.

Well, not true. It’s not actually very safe as you can bypass 2FA with two security questions. Oh well…

Turns out, it’s possible to use an app instead. It’s not obvious that it’s possible for free, but it is. Install the Symantec VIP app (free) and then set it up. Simple. Just enabled, tested, and it works nicely. Definitely easier than waiting for an SMS.


Advanced CrashPlan backup strategy

Some lessons I’ve learned in my year and a half with CrashPlan. Please note, this is an advanced guide to CrashPlan. You have been warned. I assume you’re already familiar with CrashPlan and understand their backup sets, etc.

This post covers several topics (and I might update it later if I remember or discover more).

  • cron vs anacron
  • backup speed
  • file selection verification

Cron vs Anacron

Personally, I consider this a bug, and one that CrashPlan ought to have fixed a long time ago. When configuring “Verify selection every”, if you choose a number of days and a time of the day (which is the default), your backup verification will only happen if your computer is on at the scheduled time. Ala cron.

However, if you choose a number of hours < 24, and your computer is off at the scheduled time, the backup verification will run as soon as the computer is on again after the scheduled time. Ala anacron.

Bottom line, for your most important data, set the verification to run every 23 hours and accept that it’ll happen at inconvenient times of the day.

Backup speed

For a long time I felt like CrashPlan took forever to run backups. Eventually, more than a year after using the service, I decided to investigate. I found some excellent articles.

tl;dr Change the advanced settings. If you’re backing up compressed media, turn off compression. For backup sets that rarely change, change “Data de-duplication” to minimal.

I discovered this after I decided add ~500GB of media on a USB disk to my backup sets. After making these changes, the backup took about 6 weeks instead of 3 months! I regularly saw upload speeds of >6Mbps on connections that would support it, I was moving a lot during the 6 week upload period!

File selection verification

This is an optimisation I’m only now figuring out nearly 2 years into my CrashPlan adventure. If you’re backing up a large folder of very infrequently changing data, put it into its own backup set. For example, I backup ~500GB of audio and ebooks. I almost never add to the collection.

By putting this into a separate backup set from my photos I can run a manual file verification of the photos without also waiting for the verification of 1’000s of book files which I know have not changed. My advice is the more backup sets the better.

Note that if you split one backup set into multiple smaller sets, you will lose the history, including any deleted files, previous versions, etc. Best to set this up from the beginning. But remember CrashPlan is a backup system, and it should not be confused with external storage.


CrashPlan’s java app is horrible. It’s slow, ugly, and a PITA to use. If I could find a better alternative, I’d switch in a heartbeat, I have zero loyalty to CrashPlan. However, having said that, as of my last research, CrashPlan is simply the only contender in the market. The defining characteristics for me are:

  • Client side encryption with key that is unknown to my backup provider.
  • Sensible pricing (unlimited space, 10 computer family plan for $150/yr).
  • Indefinite retention of external drive backups (BackBlaze for example deletes these after 30 days, or after 6 months if your computer is off, even while you continue paying, completely outrageous).
  • Cross platform, even if I only actually use OSX, the idea that I can also backup a Linux based server is a necessity with a 10 machine plan.

Find me another service that has these features and I’m there. In the meantime, I continue to use CrashPlan and endure its peculiarities and shortcomings.

Experiments with anonymous email

We recently received a letter from a German lawyer alleging a copyright violation. Time to say auf wiedersehen to internet surveillance and censorship! 🙂

Many VPN providers accept payment with bitcoin. Some have zero log retention policies. Current front runner is ironsocket. But they all need an email address. So, how to get a reasonably anonymous email address?

I first tried Hushmail. Free signup, easy. But, I need to login every 3 weeks or my account is suspended, and the only way to get it back is to upgrade and pay $35/year. Too expensive.

Second step was MailFence. They need an existing email to verify my account, but they accepted my hushmail address, and maybe they’d accept a mailinator address. Account is free, doesn’t appear to expire, but doesn’t support POP / IMAP.

How to use it?

I’m wondering how far to go. I could create clean email addresses via tor, pay for a VPN with bitcoin, and in theory, have an untraceable VPN account. However, every time I connect, my originating IP would be visible, and so I’d be easily trackable. Given all of that, maybe a totally clean email address is overkill. There’s also the anonymity of the bitcoins to think about…


Full encryption is go!

This post comes to you from Ubuntu 8.10 Intrepid Ibex, upon a fully encrpted 500GB disk. So if my laptop should fall into the wrong hands, my customers, family and friends can rest assured their data, passwords, photographs or emails are (for all practical purposes) secure.

Thus far I haven’t noticed a performance cost. The system “feels” as fast as before. I’m running a Centrino Core2 Duo 1.66GHz, 1.5GiB RAM. When moving large quantities of data (10GiB plus) I see the kcryptd process using around 25% – 50% CPU (of one core).

It really was painless to setup. Thanks to this walkthrough I was pretty confident it would be easy. No dramas. The hardest step was probably choosing a suitably random password (thanks grc).

Password Security

There was some discussion on the BeWelcome developers mailing list recently about OpenID and passwords, encryption and so on. Today I received an email from UKReg (aka Fasthosts) to tell me that somebody may have stolen their customer data and may have access to the account passwords.

Fasthosts suggested I change my password. I couldn’t seem to log in, so I clicked the “Forgotten Password” link. They then sent me an email containing my password.

It struck me how ridiculously insecure that is. That means they store my password in plain text. They can look it up if they want to. That’s outrageous. In almost all systems, the password is stored in encrypted (technically hashed) form. If you lose your password, you can’t recover it, you need to create a new one.

Of course, the biggest problem with passwords is always the same. Damned users. It never fails to amaze me how many people use the same password for everything. Otherwise intelligent people, who damn well should know better.

So, go change your passwords. Even writing them all down in a book is still more secure than using the same password everywhere.