I feel like this has been discussed, but didnât find it.
Given all the hashes that PhotoStructure has of the files, and the checks for corruption and the like, I wonder if it might alert somehow if a bunch of pictures suddenly start not matching hash (I.e. they have been encrypted by ransomware)
I worry about pictures I donât often access getting corrupted or encrypted somehow and me not finding it until âtoo lateâ to recover from backups. (I actually keep my picture backups with a greatly extended retention for this reason, butâŚ)
There were a couple discussions about this on Reddit.
PhotoStructure remembers the mime-type (from the first âmagicâ bytes of the file), SHA (the first 192 bits of a SHA512 hash), and the last-modified time for every asset file in your library.
I believe most cryptolockers will simply encrypt files without trying to be âcleverâ and retaining the magic file byte prefixes, so PhotoStructure could throw up warnings if it saw a SHA and mimetype changed for a given prior asset file.
Wouldnât this be too late, though? Or is that OK (you just need to be notified?)
(Iâd love to be able to âprotectâ peopleâs libraries, but PhotoStructure should run as a least-privileged process as possible to reduce itâs security footprint).
Changing metadata or just adding an external sidecar wouldnât change the mime-type of the asset file, so, no (assuming I build what I suggested before).
Ideally it would never happen, but we know thatâs not real world.
I think it would still be of use because if I started getting flagged, I would know that something is going wrong (could even be a disk failing and bad sectors cropping up, or a bad piece of software writing corrupt files). Once I know something is wrong, I could investigate and pull from (offline) backups.
One of my fears is that in tens and hundreds of thousands of pictures, something could run amok and mess things up and I wouldnât find it until âtoo lateâ to recover (say if your backup aged out). Many people I know use commercial plans like CrashPlan or Backblaze that only have 30 day retention periods. Thatâs great for disk crashes and the like, but something thatâs slower not so much.
At work (much larger environment) I had an instance of running across an odd, encrypted file where one wasnât expected. It was a machine that was writing to the SAN with ransomware. I just happened to find it early and we recovered reasonably easily. If it had ran much longer it would have been a lot harder to deal with.
Some kind of warning seems worthwhile.
Obviously, this is a âdown the roadâ thing, but wanted to plant the seed, since it seemed to me a lot of the infrastructure already exists due to other features anyhow.