Watch Out For That Bus! Personal Disaster Recovery Planning

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success all right thank you for coming and nice and early on Sunday morning my name's David Minchin I'm a cyber security engineer and you are at watch out for this bus why you need worry about personal disaster recovery planning so we're going to talk about we're going to talk about what this personal disaster recovery planning actually is we're going to talk about what your digital life is and why we worry about it we're gonna laugh at my personal failure in this fortunately it was just while I was testing my plan it felt horribly so I

laugh at it and then learn how to build your own from my mistakes and when I learn how to test it because while we're hoping that nothing bad really happens we need to be prepared prepared for the worst result so where does this talk actually come from where's the name come from so in in software engineering and reliability engineering the bus count is how many people in your team can get hit by a bus before everything falls apart now if the bus count is one that basically means one person get hit by a bus really it's a cover term for if they quit if that one person disappears now everything falls apart and you know

everything's in shambles so you want that and that counted me higher than one but what I'm thinking about is for your personal life is your bus count one if you get hit by a bus does everything follow the shambles for your household or your group and so that's that's where the title comes from so to get into the right mindset for this talk I want to look at this starry sky with a silhouette of maybe yourself or close your eyes and come to yourself it's a Sunday morning and think about who is important to you in this world it could be yourself louvain that's fine it might be your significant other your spouse your kids your parents or

grandparents or a good group of friends look at the point of this is you need to be thinking about who is important to you because that's gonna get you in the right mindset for this talk so let's start we're gonna have a lone gaging nine o'clock in the morning Sunday QA will you die this is like warm-up question so yes or no so will you die raise your hand yes okay so some people are realists all right will you die no okay no one is like super okay we have optimist that's good so the point of this question is that it's a dumb question it's not really a question it's really just a statement of you're going

to die someday but there's some nuances to it that you might not initially think about if you're thinking no I'm not gonna die because I'm so young I'm so indestructible well that's great but the thing is there's two problems with that one the further away you think you are from death to less prepared you probably got be for it and two let's say you do live a long happy life like I would certainly hope for every one of you the problem is is that you have a lot of decades of digital revolution that's going to keep coming and make this entire topic that we're talking about so get harder every decade and so I think

there's a lot more complexities that we can't really understand yet that's good just make things more difficult so yeah you get to live till you're you know ninety one hundred that's great except for you know Gmail is going to be way more complicated you will know I use anymore question number two it's a multiple choice answer if you're really unlucky which of these bad things have happened to you so once you raise your hand I'll call them out so if you've been affected by a natural disaster a fire flood raise your hand if you've been affected by hardware software failure or ransomware you can get this one to theft of the device or computer smartphone you can count and a death or

illness and the close family and some of you just like held your hand up the whole time so you can not not good luck for you but the point of this question is not if you were holding your hand up it's about the people around you that will holding their hands up too because in disaster recovery the easiest thing to do is say none of this will happen to me and if it has happened to you just to kind of discount like oh like gamblers paradox like that happen to me once so it's unlikely to happen again and a lot of these are random events so that just doesn't count and so it's really important to recognize that these

things can happen and it will be prepared for them rather than just like repress to repress them or ignore them and it's important to realize that these things can happen you haven't you the people do you care about because for the rest of this talk you're dead you just died you were crossing one of the various avenues to get to the Renaissance Hotel you're a really in-depth discussion about like blockchain or something like that and you got hit by a bus or more likely in DC a cab so you're dead now what do the people that you care about are they able to get into your life are they able to pick up the pieces or is everything just over

because there's a nuance to this that's really easy to forget about - we're at a cybersecurity conference where we self select the people in this room to be the more technical people but the world looks like this it's a spectrum of technological competency we are lucky to be on the right side of the spectrum where we have debates about vim versus Emacs or Python 2 versus Python 3 and that's great but as you slide to the left you start going ok I can use command line or then maybe you just can use a computer but Microsoft Word is like you're like advanced usage or then you get to the people all the way to the left that you

might be thinking of as well and they're the ones that like somehow their facebook statuses or google search and you really just can't watching this computer it's very frustrating but the problem is is that when we're think about this s recovery and think about the other people we care about we don't get the Nestle pick where they fall in the spectrum it's just kind of the reality of the situation and just because they're further left doesn't mean we necessarily love them less that's up to you so you also want to be thinking about where do the people that you care about fall in this spectrum because it's not affect how you have to plan for things

because the further left you get on the spectrum this is the endgame everything they need on your computer is behind this password-protected Windows 10 lock screen and they'll know the password and it's over for the people in the right side of the spectrum that are more technically confident and the people in this room you might be thinking oh if there's no drive encryption I pop it out and throw a drive caddy I'll just pull the files off the desktop or I'll make this phone I'm gonna rip off the hashes to see have a crack at password if it wasn't very good or a place to ashes but we can come up with a million different

ways to recover it but for a lot of people this is it game over it's not really some cool CSI story where you're like two people in the same keyboard like this is it and so that's important but then there's a flipside to this entire story too we're very focused in yourself that's very vain well under the bus hits the person you were thinking about instead are you prepared to pick up the pieces are you prepared to be the one that's still alive or less morbidly maybe no one's dying those buses are actually like yielding to pedestrians but we have these other things that could happen fire floods natural disasters I look at city a little bit north of us

very cute town in central Maryland used to not have floods all the time and now every other year they just kind of get like first story flooding for fun that's something that to deal with so there's a lot of physical disasters that compound this problem because you're worried about you know physical problems like your house being flooded but then you're also worried about okay electronics and and things being destroyed as well you also might to deal with illness dementia is gonna be particularly devastating because it's very mostly draining and the people are still there but they're not mentally there and it just makes things a lot more complicated but just general illness and death can be a

problem and then you might just have theft you might maybe maybe did something that wasn't the best thing and you go to jail for a little bit but wouldn't it be nice if your family could still live there live and be able to recover the pieces even if you're no longer there or maybe in the military you do a deployment for six months to two years just because you're in the least are somewhere else in the world I've talked to people in the military and they have some you know really weird ways of making sure their family can get into their bank accounts while they're not around it's not really the best way and then you also have just your

traditional things you might think about with software or hardware failure ransomware these are all things that can prompt it's a personal disaster recovery plan so now you're back in the hot seat do you currently backup your files so the best case is that you have automatic off-site backups maybe you have automatic backups with their local or you in my favorite category which is the people that swear to me that they copy things to put a flash drive a hard drive they do it like all the time and then ask them the last time they did it it was six months ago and they don't know where it is and then you also have people that just don't do anything at

least they're being honest with himself so again raise your hand on that off-site backups and you'll see how you can this is what I currently do if you do automatic low local backups raise your hand common and this can be good enough to pay on your risk profile but it won't can prevent against everything and then who's in my favorite category the flash drive you copied and somewhere do you know where it is when's the last time you did it there you go so she's in like the best like slice of this okay category but we can do better and then who doesn't do backups and it's just like not even your problem everyone's seen backups I didn't blow up okay

someone's being honest with me they say I employee if you really stick to your schedule the neck it's about it's about the repetition and how how long it's been since the backup occurs if you're willing to tolerate a weak loss then okay the problem usually with that method that third method isn't one that makes sense so a second that third method is really about people xa expectations and convincing themselves that they're protected but then that that period of time that's been since the last backup grows I know like my wife used to do it before I put her off-site backups and before she knew a wonderful InfoSec professional like myself she had that method and it was like two

years old all the time yeah you know I mean and that can work but that is still local backup unless you're taking it off-site so there'll be concerns we talked about with that so it depends on your risk profile how much will it risk you're willing to take and what you're trying to repair for and your last question essentially breaks down to yes you lost data or no you lost data you only erase your camp for this one but think about whether you're upset whether you are able to cover this might be a lot of times people have this context more in their company but are you willing to lose every single picture you store on your computer I know for all

people my family pictures is like the thing they care about more than anything else because it's just a moment in time they'll never get that back it's it's important to think about whether you've lost that as well so the question is can you recover so that's two things one do you have the mechanisms in place to recover then the second the second point is whether they'll actually work when you need them to just because you have the controls doesn't mean they actually work on a bad day and what I was really worried about the reason I started thinking about this topic in the first place was I was adding but the good InfoSec professional I was adding more

and more controls and convincing myself okay like to factor and everything extra layers of encryption like let's let's do all the things to keep the bad guys out but I was more concerned about whether I was locking myself out at the same time and then not only myself the person I was thinking about went at the beginning of this talk in the starry sky I'm thinking about my wife she's my primary use case but most I think my parents is the secondary use case so if I have all these layers of encryption that only I understand how they work and it's not something every user gets do I lock out my spouse in the case of a bad day which

you could argue is more likely that she's do I need to get in then I need to keep some back at that guy that's specifically targeting me and trying to break free layers of encryption so I'm trying to balance that so to make sure I own cause a bad thing that happened to us now I've been talking a lot about disaster recovery planning your usual life but I'm really talking about what that actually includes yet so let's go over a couple things this is just the things I was thinking about every person's gonna be different we're gonna start with your email and the thing is is that your email a lot of times just seems like oh this is where I got my

coals and little baby coupons and that's about it and people that want to sell me like prescriptions whatever stuff and the thing is yes we get less spam but it's actually a centralization point for a lot of our digital identity so a lot of times your reset emails your statements your accounts a lot of things ago go to your email and this is important because when my grandparents passed away a few years ago they were all paper analog you know like you might expect that's great so when they passed away my dad knew he didn't know about every single account they had and so he watched their physical mailbox so every couple days he came check it and he finds it oh and

here's you know 10 grand that we didn't know about because it's just in some bank account that they never really told anyone about and that's fine but I don't get that stuff to my mailbox anymore I get that to my email so my accounts and my statements come to my email and so it's important for someone that's trying to recover your life and piece pieces together the pieces they have access to that email you may also want them to have access to social media accounts this guy depends on how and depth you are with them this can be often just a peace of mind if you truly are no longer around to be able to put those accounts to bed

that can be really comforting I pictures of the physical Bitcoin even though really the point of Bitcoin in this talk it's not about how like you know how rich you should get off a Bitcoin blockchain now you invest in ICO the point is is that cryptocurrency is a purely digital asset unlike other banking and financial institutions that's the thing usually like with a death certificate or some paperwork that you say like I super duper swear this is me you can get your money back cryptocurrencies I'm forgiving if you don't have the private key it's not actually your money anymore and so I think it represents all the digital only assets we're gonna start seeing come up

in our lifetime so if we do live for the next 100 years cryptocurrencies not gonna be the only thing and this is one of the things I think about when people are talking about oh the world is cryptocurrency that's great but you know what happens when you lose the private key and like all of your life savings just disappeared and shrugging and saying that's too bad is not really good solution so we need to think about personal disaster recovery in a sense of as you go more exclusively digital and crypto is what's you know constraining things rather than an organizational business process we need to worry about that more your house right now your my

house is like a Roomba and that's not really devastating if I lost access to that I can recover but I think we're going to see more helm integrations where the home becomes less and less usable if you don't have access in some digital method and they have pictures so this pictures files this can represent a lot of memories or it can represent many years of hard work depending on what you're storing on your personal computer if it's some work then you know it's a lot if that's your livelihood to could be really important tax returns all sorts of time are invested in your files so you want to lose them and that's what we typically think of when we're talking

about disaster recovery for yourself and also have your cell phone now really if my cell phone gotten stolen today I wouldn't lose that much information that would be that upset about besides out you know 800 bucks but what the the cell phone represents is actually is representing your phone number which is a slice of your digital identity so especially right now we're in this hump where loves two-factor authentication via text messages so your cell phone actually is like kind of view now if you have your cell phone number that's what people are trying to steal it away from you if you have access to your cell phone number you are doing part of the authorization

that shows that you are you so that's a part of your doodle life let's say you're crossing the street you get hit by that bus because you were texting that's a no-no your cell phone shatters well now is step zero if you're your family recovering your life go to rise in and get cell phone with your cell phone number it might be if they need to get access to things so two factors will be in play so I'm thinking about my wife and the security controls I'm adding and then I'm like okay the my digital life is important and we'll make sure she's prepared in case I'm no longer around so I needed to test something so I start

putting together my plan it's probably something like awesome Friday night where I didn't have anything else to do and I start playing together and thinking to myself wow I'm such a dork because I'm doing this in my free time and I was doing it mostly like to convince myself I was okay but what really surprised me is that it actually didn't work so I wrote the plan and I thought I was fine I'm thinking I'm super cool and then I tried it and it fell apart and I was really surprised by that because it's one thing to start writing the plan and realize it's gonna break but I didn't realize it until I actually tried the plan and that's why

testing is so important so here's where you get the laughs and me so for me my deal it's you know I just want a goal of what my testing against so I keep all my super important secret you know files finances Keys all sorts of things in my encrypted file vault so if I can get to that starting from scratch then I feel relatively successful that at least some aspect of my digital life can be recovered so that's great so how do we do that so we're going to access a password manager I'm using one password we're going to talk about that a little bit but we get into my password manager that gets me the password from my cloud

backup so they're on that call Flying Cloud backups and then since I don't really trust anyone too much I've needed this extra level of paranoia I have to decrypt my cloud backups because I do private key escrow which means I hold the keys to decrypt my backups Backblaze is not able to decrypt them for me and then once we do that we can to retrieve all my files and my plan has succeeded well possibly go wrong with this do you see it I didn't see it until I tried it which is where would I keep my super important decryption cloud backup keys they would be in that encrypted file though I'm trying to get so now all my

files are gone for forever every picture I've ever taken is gone every file I've ever written completely destroyed one hard drive failure code cause this for me even though I had backups passing managers I thought I was doing everything right I thought I was like the 1% of the disaster recovery until I tried my plan and it was just worthless that's not great so I fixed that and then that story actually I was using LastPass at the time so I switch from LastPass to one password now one of the nuance is is that LastPass kind of default installation is you have your username or email address and you have your master password so it's a

long-running the password it's what protects your LastPass vault and that way you it's a really long pass where no one can get in and that gives you access to all your other accounts that's great you could do to a two-factor but I'll talk about why I was nervous about that in a little bit so I had LastPass switch to one password one password security model is a little bit different I like it more but it's different in that it's username master password and then the first time you log into a device you need your secret key which is long and random so where would I store a long and random secret key in my file ball so now

I can't access my password manager so I can't even get to the account the log into my Backblaze and now I can't get to the decryption keys because America's like came and enter it in the website and now all my files are gone and now I'm sad so even after my first failure I found that changing subtle things in my security plan actually can cause my backups to fail as well and so this is where I'm starting to think ok if I'm doing like all the right things by doing backups and other things and it's actually not working out and not really that resilient to failure then I feel like this is where I should start like

going on the street and just me on the corner and screaming backups really loudly and just helping other people realize the problems they might have so in my case a circular dependency is what really broke my backup plan so I had the encryption fault but that's one time to get but that has everything I need to get to that and so there's a lot problems with that so I need to come up with a way to break that circular dependency but that's one specific - what else could happen so to factor so this is not where I say - factor is terrible and just you know flood and everyone should be scared of it but the

problem is is that two-factor introduces more complexity with your authentication so you SMS ones if your phone's not with you that could be a problem do you have backup codes like on the bottom left that's what Google backup codes look like that's great except for where I still write backup codes and then cryptid File Vault so I need to figure that a way around that or you might have stuff flow at the top left by the Yubikey or RSA key Yubikey is probably a little bit easier to your hands on for personal use but the thing is though if you go into these vendor websites and say hey what like what should I do to be resilient against like

disaster recovery they say okay well if you really will be resilient you should have a primary you be key in this example you should have a secondary Yubikey but in the worst case if you just call the helpdesk well that's a very corporate answer because if I get hit by a bus then my entire IT desk just got hit by a helpdesk so that's not very good so the helped us all dead and was very sad not very good helpdesk but the problem is is that now you have to be thinking about okay bite if I have my accounts are really actually authenticated by a second factor and you can't just bypass it with like some

terrible security questions then now you need a primary key me a secondary key is that off-site where's the stored off-site is that resilient is that subject to a attacker can I get to that easily and do people know about to use it as the backup there's a whole host of issues because you just brought a physical entity into your digital disaster recovery plan so it's not this ly bad to have to factor but I'm concerned about okay if I start using in my I have like for you because everyone keeps sending than me and so I have multiple ones but how do i construct it so that I don't accidentally lock myself out if my primary Yubikey is damaged in

the exact same disaster that takes me out on my house out - now that's backup failure so this one is most common with with like your automatic cloud backups and that is it actually backing everything up it's you always seem to find out afterwards where the most recent example and this is more of a corporate but happens all the time with personal as well is a lot of these don't backup like virtual machines so your work top gets completely fried and you're like that's okay I have backup software that always runs in the middle of my presentations that's great and then you go recover it and I t's like oh we don't we don't backup VMs or any of these

source code files that was in your users directory so it's all gone and so until you test that you don't realize that like all the backups you've had actually were worthless so that's problem existence is a problem so this is actually one of the harder problems to solve because this isn't about whether your plan is good or whether it works or whether you have the backups it's if you're thinking let's if I'm thinking about my wife and I get hit by a bus does my wife know what that disaster recovery plan is maybe I have amazing plan and it's just in the second drawer of the safe and she just had to look there but I'm dead and even though I'm

screaming in the afterlife it doesn't really help because she can't find it and like all the time I just spend making this talk and making my plan is just worthless so that would be really upsetting but existence it's hard because you want people to know about your plan but you don't want them to just like you don't want post-it like your front door where all the hackers can come and steal it so that's bad too so how we solve that and then in action this is the most common plan failure which is if we just do nothing and completely repress the problem in our mind then our plan won't exist and then when we need it it will fail so how do

we build a plan so first write the plan for yourself this is the easiest one because you know you best so you still want to try and extract everything that's so critical from the from your plan and get written down in some form but it's easier because you can just say here's my decryption key here's my decryption password that's all you really need because you know the software you're using it's really that's simple but then you have to upgrade your plan and write the plan for someone else so now you can't just say here's my decryption key cuz it gonna be like for what using what software and where's that file so you had to say okay I'm using

veracrypt for instance and you can download their crypt here and here's like what bare crypt is okay that's great but then you come back to the lovely spectrum of technological competency and what happens if you're dealing with the left side and they're like what's a drive what's encryption sounds scary why is it made by this French developer I don't really understand any of it and so ready to plan for someone less technical is even harder so we're going to come back to the way I help solve this rather than writing like an entire manifesto about like disaster recovery and all that type of stuff for these people there are ways that you can make it so they're

successful without having this put a lot of burden on yourself but there's still one more thing to think about which is the plan for someone else and this plants harder because while you can kind of go home and at any time think about writing this plan for yourself and then just making available to the people you care about if you haven't someone else you have to first convince them like you're already at this talk you've already like bought into some degree that this is like a thing but if they're not here at this talk then they may feel like you're just the paranoid security person again and you really hard to say I told you so

if they're dead so like it's hard to get the motivation for this but the problem is is that you want their plan because you're gonna be the one now that has to execute the plan so it may be just have to be as in-depth but you still need to convince them that it's worthwhile depending on hood the significant other person is if it's your spouse your plans might be the same that's not that big of a deal and they'll have a problem sharing things with you before bad things happen but let's say this is like you know just something that's important you but they don't just like give you all their access right now that can be

more difficult because you've to build in like how is that information get released to you in the case that they're no longer around it's more difficult so what's in your plan this is going to vary completely based on your life but here's what's in my plan to help get you started and to think about things that might matter to you let's go matter how old you are are you in college or you're in retirement do you have kids do have grandkids do you have parents are you married lots of things that can affect this so let's get started with the easier stuff passwords so instead of saying okay I want you to write down every single password that you possibly

have and use disaster recovery plan and then keep it up to date and all this management that's kind of a pain this is where we can get two for one special and that password managers are becoming where the security community is moving until we figure out n occations some other way password managers are for most of us a good balance risk insecurity plate up your passwords in something like one pass - Lane last pass a key pass a lot of the other ones it centralizes them you can have better passwords for all of your sites you protect them with the master password you can add two-factor if you want to you can add these things and now you

have consolidated access and really like just from a security perspective it's better security and from a usability perspective it's way better for instance my I've been using one password right now target and red card keeps messing up to see any questions and since I know it's all in the past of all I knew that they're wrong it's not me so it actually is really nice from a usability perspective to get that boost up from saving everything in that database but we have to worry about your security model so I've used all four of these there are other ones out there so you can pick based alone usually but usability model but like I said LastPass

has a different model than one password I like the one password model because it does prevent against someone just completely stealing your master password and throw you a new device but you have to worry about do you have access to that secret key if your original computer that you haven't synced with it's completely destroyed so that's the marriage is good but you want make sure you understand the implications of using them that's why we're gonna test backups on Mac off-site backups so this is where it's really easy just to pay to make this problem to go away Backblaze is five dollars a month per computer so that's what I use it's basically set and forget it's actually easy enough to

install back and just talked my parents into using it - over the phone and it's not too bad so back plays is an option SpiderOak is a little bit more security oriented carbamates an option if you were one of the CrashPlan users and they shut down their personal edition don't let that lapse get to you just switch to something else find something that's usable well people might think about can I use like Dropbox or onedrive or box these file synchronization services and my two that is you can they're just nice robust so a lot of times the storage is a lot less because they're expecting you use it more if you're really good about putting all

your files it like that's just where you store everything and you have enough storage for it then I consider this good enough but if you're like oh like yeah I pull out my files and you realize like you know a week after your harddrive burns to the ground that all of your pictures were in like some other folder then you're gonna be pretty upset so it's it's nice to have the assurance of just using backup software it's not that expensive to solve this problem and then you go around like you can do though every Friday backups which I applaud you for being resilient doing every Friday but if you just want it done like all

the time and never have to worry about you can just like do where you want to Friday then that plays Spyro Carbonite other backup software can help you financials so this is where I'm not seeing to put every single detail and like account statements up the wazoo what really I mean by this is have a table that just says every account you have name the name of the institution what's it for is there a person phone number the usual place you go to deal with this business and the reason is is that rather than somebody having to pick up all the pieces and figure out okay here's all the statements and do all I got forensics work to figure out what

your financial life is like you can spend 60 seconds and probably rattle this all off and just be done with it and you just save someone weeks of dealing with it and you have to worry about what can they get into it especially if just like your spouse or something like that you will make sure that they know about the accounts the sort depends on if you're you know who's in control of finances more but you won't make sure that they're taken care of if you have cryptocurrency this is where it comes the purely digital private keys yeah you will make sure that you know what that private key is because if you make it big and you have

like ten million dollars a Bitcoin that you don't know how to get out of the market yet that's great but if they don't have a private key that it's just you know digital ones and zeros if you're also responsible for a lot of finances you're dealing with you may want to think about whether that make sure people can access their credit so if you're freezing your family's credit which I highly recommend you do with Equifax TransUnion and Experian those are the big three the fourth one you most people don't know about is a notice and the fifth one is the telecommunications credit bureau which is Nick chewy they're all like not my favorite companies but the reality is is

they have all of our information they're willing to give it up to anyone who asks except for including hackers unless you freeze it and as of like mid-september it is now free to freeze and unfreeze any state like anywhere you can read the Senate bill is actually surprisingly clear so it's get a lot easier to do this you know to pay like $5.00 a vendor in Maryland you also may think about the government so if you have a social security account IRS account these are things that you might want to be able to have your family be able to access so they're that locked out this as well this is also sort of a dual security

thing where if you don't have these accounts you might well make them because that makes attackers have more trouble making them for you and impersonating you so this is where you want have them and you won't make them for everyone your family and it's great for security but then you get hit by bus and now they can't like get their social security benefits or they can't file their taxes because they'll have the pin that you set up for them that's a problem so again making sure people have access be able to share that access within your plan you may want to put your insurance here this you might just have your wallet depends on the

circumstance again 60 seconds can save you someone a lot of hassle maybe you've got hit by the bus it just wasn't going quite fast enough and so they need your insurance information it'd be a lot easier for them to get that to the hospital and to the insurance providers before you get the bills of $100,000 let's get this taken care of or the bus was going fast enough maybe you ran into the bus a little bit and so you need a life insurance if it's through your company that's probably not gonna be that hard to figure out but if you have additional policies for these types of insurance you will make sure people know about them because be really unfortunate

that you've been paying premiums and then you make a claim when you need it if you're thinking about your home technology you know tea-things ever started put in what's your network like I know from my network I manage the heck out of it and that's super fun and I have like six VLANs that's great but it's horribly unusable to like anyone on the left side of the technological spectrum so is there a way to simplify that do you just see a rip it out and put something new in how are you gonna do that if you're no longer around the manage it because I am the IT Help Desk any other Keys you have you could use

this as a time to think about like just actual physical Keys like where are the copies of that but are there other keys we're going to start needing as our homes become more complex and then back to two-factor where this two-factor keys if you have the backup ones that's great but where are they in case that someone else needs them where are you storing them now something I have in my plan that this is what helps dramatically reduce the complexity of some aspects of it is I have points of contact so I actually I pick on the lovely room monitor my friend Brian over here and one say hi Brian hi Brian hi so but Brian is my friend and so

rather than talk about like how cool encryption software is and what veracrypt is and all these complexities rather than write like a four-page long essay in case my mother has to decrypt my veracrypt backup which is just probably not going to happen even if I write out really long explanation all I can say my buddy Brian here's this phone number here's what the vault is just just let him do his thing and you I trust him he will get you the results you need and I have a friend for my mediocre mouth cryptocurrency so if they need to get into cryptocurrency talk to my buddy Tyler that's it so rather than write this long essay

that's probably not kind of work in the first place I just say here's the point of contact this person can deal with it I'm way more confident something to actually go right than if I just try and explain through the process so this is something that I think is a good place where we can rely on our friends we can rely on others in the industry and I think if you if you talk to people or you hear people talk about this type of thing I mean we are the people that can help with this so you know if one of our friends did have something bad happen to them I think we'd all be like oh how can

we help and rather than like bake them a casserole you can also help them like actually like help their family's problems but be a point of contact so that's where we can step there as community so we're talking a lot about digital but let's get some bonus points too so if we're thinking about like what happens with my hard drive if there's a flood then you also probably worried about like crap there's a flood what should I do about my house and so we won't worry about that as well so what do we do to prepare there's a lot of things you can do and I'm not saying go fool prepper and have like 365 days of

beans in your basement you can Costco has great deals on that by the way but you won't be thinking about okay like what should I have a gray to go so from a tech side USB chargers cables and there's backup multi factors in a go-bag super handy to keep your cell phone charged way longer than anyone else that's great you want an ID first aid radio duct tape and you can do like plastic sheeting depending on how paranoid if you want to start doing like Y times if a nuclear bomb hits DC there's a whole lot of stuff like don't use hair conditioner apparently is in like the government handout so it's interesting they're like read about that

stuff fairly condition is like a no no case like the world's ending so you have to even think about that but there's a lot you can think about here just having some sort of plan like we're talking all about our digital life it'd be a shame to not spend at least like ten seconds thinking about physical kits and then you also have an analog will to worry about so like if you get hit by a bus it'd be nice to deal with like the legal aspect of it as well so I'm certainly not lawyer expert on this but really breaks down to your executor who actually runs the will to ground who gets the money from stuff and how the

things divvied up and then if you have kids who are their guardians all this stuff will just kind of like happen by default like the legal framework will take care of it but it might not be the way you're really intended so you you want to think about this and where analog will is actually kind of interesting though is you know one of the things that we're going to talk about is where do you store your digital disaster recovery plan but a log will form most part is not a sensitive document you worry about the integrity you want make sure that it was signed by the person when they were in right mind there was no coercion but like you

cannot post it on your fridge and it wouldn't be that big of a deal a lot of families the problem is is that that's because it just it's a really powerful piece of paper that says everyone will do this and they say yes because that's legally we have to do but with a digital will its here's my encryption keys here's my passwords because there isn't just some piece of paper you can just hold up to like if I hold up to my veracrypt software it's a look at this piece of paper it's gonna be like I can't parse that sorry try again so so it's a little bit different that in the old days you know and still now analog

wills are just pieces of paper whereas digital disaster recovery plans we have to worry about how do we store it and make sure that the confidentiality is maintained as well and so that's where we get into actually the hardest part is is what we do with the plan now you've written it so we want to make sure we're updating the plan when do you update it really every time something changes it's great to be doing it like six months to a year eight times something changes in that plan you should be thinking about updating it and that's because as you change features like LastPass the one password or you know back and forth or anything in that chip plan changes you

might affect the viability of your plan and when do you test it you're gonna test it every time you change that plan if you really just like add a new bank accountant to the table I've let you go with that but if you're changing big important things you should be making sure you test it how do you test it so there's kind of two ways to test it this is actually like for the technical people this is what I consider the easy way which is you grab yourself some virtual machine software like VirtualBox you grab yourself a Linux live CD like Ubuntu and when you boot up the new virtual machine it's a blank slate

nothing of your stuff is on there if from in that virtual machine you can get to whatever your goal is you can get into your passive manager extracts your keys access your awful awful site backups and recover your revolt and decrypt it like I was hoping to if you can do that you plan worked if you were like me while you're doing this stuff and like this is going to be great and then everything burns to the ground then you realize your plan needs to be revised now if for some people this is more technical than they want again you can just do this with like a private tab in your browser and that's the way to do

it without having to get into virtualization but what's nice is this gives you a full system to try pretending like every single desktop laptop cell phone everything in your house is destroyed you only can like for that 30 minutes when you're testing it you only can stare at the screen that virtual machine software if you have to peek down at something else to pull something out of a drawer you plan fail so how this is how we can test it employee so through some rigor now the thing is is that when we're testing your plan it's really easy to get caught up with just testing it yourself and you're in like your little underground lair

making sure you're all prepared with all of your cans of beans surrounding you but the thing is you wanna make sure that you actually talk to your family and people you're thinking about - if you run through the plan with them that can be really useful because they're going to point out one places where you may have some shion's that are false and they all understand so it makes the plan more likely to succeed a - and then you can talk to them about where the plan actually is so that it's going to submit in their mind that you have a plan it helps take care of the existence problem that we were worried about and

then storing the plan this is the hardest part because I just told you put everything important that is about your digital life won't you put it somewhere and I will make sure that everyone can have access to it but only when they need to but not before that okay that's really hard so you you don't just want like upload some of this something to somewhere to the Internet I'm not sure there's really a great crypto scheme for storing this you could do like a Deadman switch potentially but then somehow somehow the things maybe the decrypted do you really trust that you could try and file it with a guy attorney but that's relying on someone

else it cost some money every time you do it and you're trusting the attorney which is different than the analog wheel because then you're the same like keep this piece of paper don't lose it as opposed to keep this piece of paper please don't like take off my money it's a very different assumption a safety deposit box is an option the problem I have with the safety deposit box besides are costing decent bit of money is that the the depending on the bank infrastructure that may not go to next akin as fast as you think so if you're like for instance if it's a spouse you might just say we both have access to safety deposit box so you'll have to

worry about like it passed down but if you're trying to only give access when you're actually dead that's harder and you may think like oh the bank will just do it like really easily but I can tell you some banks just will put you through the wringer when my father was going through he had a death certificate and like three pieces of paper that they say needed he come back the next day with it and they say you need different pieces of paper and so if you're on the clock for trying to get into some of this stuff the safety deposit box might not be as fast to do things so you need be able to wear that's how the bank's

policies going to be on it so the one of the ways I've solved this base by tearing my risk so I have the plan I keep the framework I fill it out and when I print out bring it out I have two copies I have one copy that's a fire safe in my house but it smells like fire safes from Amazon so like how good actually is I'm unsure of so maybe that protects me in a lot of cases it protects me I get hit by a bus or if my wife gets hit by a bus or there's like flooding a minor fire but my whole house burns down I'm not cutting that working so what's my off-site plan my off-site

plan is I keep a copy as safe at my parents house well that for me it might not work for you works for me for two reasons one because I trust my parents because I don't think they're gonna use it against me until they actually need to use it for good reasons and because my parents are far enough away that the same disasters I got hit us the same time in the same way but it's close enough that I don't like have to hop on a Southwest flight just to get any update my plan because if you make it really burdensome to update your plan and distribute those copies then you're kind of back to that whole like

copy things on a USB Drive and then like put a drawer and you forget about it and then the plant your parents house is like 10 years out of date it doesn't really help anyone so storing it is hard I think it the thing about the exact constraints you have depends on your risk model if you're able to store it locally it may be okay if it's paper or you accept that I know some people what I've taught them about this idea they talk about like oh you could like sort digitally and let's say for something like that problem is is that smoke will destroy the hard drives weight faster than it was a story

paper so this is like caveat to won't worry about if you went to all this effort to do this whole plan and to build up everything and test it you really don't want the failure to be like oh we couldn't get to it in the end that would be really upsetting so we've talked about a lot a lot of times especially if you have no experience I know this it's up for you this is really overwhelming so so here I want to take just a second to say try to do anything just take one step forward and that's a lot better if anyone in this room does anything starts using off-site backups does a password manager does any minor

improvement I can say this successful so just take a deep breath you don't have to finish this by tomorrow there's no quiz I don't I'm not gonna ask to see your disaster recovery plan although that would be the fishy exercise take the first steps forward to start doing better so what comes down to offset automatic backups a password manager documenting what you did to make your plan actually doing any of this and not just saying that you're going to the next weekend and then testing to make sure it works and you're like wow David that sounds like a whole worker why would I do that it's because as people we care about and that's the reason we're doing it because

if we're dead we have to pick up the pieces but other people do so if you have a stories ideas or questions I'm happy to ship you the slides just tweet at me I think I have a few minutes for questions but I'll just tick around outside afterwards too if you will have more of a discussion on this thank you for coming on early on Sunday

right so they right so that's a good worry I feel like someone just talked to me about having this happen usually they were to I don't know the exact policy usually they will retain it for like 30 days but won't give you access to it till you pay up this is one of the reasons why email I think is important to have access to because while it's not going to directly get to anything it will help you like oh I can just start monitoring that oh they have back plays maybe maybe you just give someone your email account and don't even write up this whole plan because you just never got around to it if they start to eat oh

the back place is give me a weekly email oh that's how they use backups off for like people can figure that out and then that help to the credit card nurses it helps the continuity of that as opposed to just like up like we had backups but you know you forgot to pay it and they guide by a bus and now it's all gone so that the email I think helps with that

no I don't what I do is I already configure that to give to my mother and to my wife access to my Google account and on Google Drive I have a document with my master password and a copy of my key pass so if I stop using my Google account for let's say one month or two they will automatically receive a copy of my they will automatically have access to my Google account and you will be able to write so that is one option I've seen it I think LastPass does this as much about the other managers where you can do basically like a Deadman switch like that part of it is how long you're willing to make that period so

you said a month or two if they offer something shorter are you okay with something mean shorter are you okay with them having to wait a month or two to get into that because let's say it takes a month or two but then you know into his problem of you didn't pay your bill because of course things are gonna line up to be the worst time I ever so you know you forget to pay like the back blazes do the day you die and then it takes a month or two to get into your back plays to pay that and now the backups are deleted so it's a certainly a good model some I've seen periods are

way shorter like essentially 48 hours or some will be you can like the user can go in say I want to recover this account through the Deadman switch and then emails you if you don't click a link within like 48 hours it will bring access so you can pre specify the emails so they're always to do that g m-- Google is a good example because a lot of times that is sore central to our digital lives the problem is is that you also you won't be thinking about like all the other ancillary counseling might care about and maybe the PO the master password might help with that too so it's that could work have you thought

you know have you tried doing it does it work what is it like it that's actually hard to test because there you gotta say oh I'm not using the Google account for a month you rely on Google and if it doesn't work Google doesn't really have a phone number so sort of the notorious problem so I'm not saying it's a bad yeah it's like a great idea and one of the ways you do it but it's okay there are ways I could fail I just don't know how much I trust it yeah

right yeah I mean there are there are ways that look Google will do that and you can delegate that access depends on the person you're thinking of is it someone you only want access when you're no longer around are you okay with them having prior access to so these are things to think about but that is something I'd like to look into more I mean seeing exactly what the parameters are and that might be a good option for storage depends on whether you also trust do you want to put something as sensitive is just like all the keys to the kingdom in a digital form in the first place that's something I struggle with is even like three layers and

encryption do I really ever want write down some of this stuff I'm not sure I like having the here's how I take outdated 101 bland

and we're about writing to not connect with all right and so I think some people like the that's why safety deposit box come up because that sort of like pick the bank like you have to go into the bank and do something with it there is like the the fire safe I have like I haven't tried it I should try that like I have a lockpick sentencing like 10 feet away from it it's probably not that hard to pick it's like a terrible looking keys I doubt it's it's more about fire safety and waterproofing than physical security you could invest in a actual better safe a lot of the cheap safes like under 150 bucks you can just drop it and it will

unlock for you so that's great there are other talks problems we hear about that so I do worry about that a little bit but at the same time like I'm not sure how I'm not sure how convinced I am yet like that if people are breaking in my house they're going for like the disaster recovery plan versus like my wallet so it's about the risk profile I'm probably a little bit more worried actually about fire and flooding than something like a hacker physically coming into my house or someone that would know what to do with the disaster recovery plan now I guess if I rode that really well they could call it my buddy Brian be like hey I'm a hacker trying to

get into David's cow you'd be like this would be a great prank so what to see but so it's a balance how much you worry about physical security and how much you're willing to go hide it I'm kind of 50/50 on it

[Music] was a cracking

right right I'm thinking about picking my safe but the reality is it's light enough you could just like walk it out the door so there's issues with it you can even with a barrel lock someone could just walk out the door yeah yeah it's by the same one

all right well I think it's all the time we have for questions so thank you very much for coming I'll be outside the doors if you have more questions there was share a story or something like that but thank you very much for coming