1: They are likely in countries of the world that have zero interest in turning them over for justice. In fact, they may be regarded as folk heroes or equivalents of Robin Hood, taking money from corporations or countries and bringing it to the region.
2: They are likely using employees to do the dirty work, with plenty of anonymity between them and the higher ups.
3: Malware can be traced, and a lot of people suggest origin, but code can be edited and spread anywhere in the world, so code that originally came from Latveria can be used and abused by people from Lower Elbonia, and if distribution is done, the whitehats may never know the real origin.
4: Compromising an endpoint isn't too difficult these days. If someone hacks a wi-fi router and compromises a home computer, all it takes is deleting the offending stuff securely, and that becomes a dead end.
5: For every one criminal, there are others behind them.
6: LEOs have many cases on their hands. It might be doubtful they may have the resources to handle anything but the big names, so chasing after every bad guy would be about as fruitful as chasing every pot smoker in the US.
Going after criminals is nice, but that is a game of whack-a-mole. Unfortunately, computer security is a defensive war, but there are useful tools on the whitehat end which can help mitigate attacks.
Long term, it may not be something is wanted in any shape or form, but I think what may end up happening is that countries themselves will demand control of the routers that go from one nation to another and enforce rules there. China has that, Iran is building it, and other countries are looking into blocking at their virtual borders, just like physical borders. It might be a token thing now, but as time goes on and money is put into it, it may become something all countries have in place, just so another country that has IP ranges that are hotspots for attack are blocked there, so every single Internet entity in the nation wouldn't have to deal with them.
I've thought the ideal would be something that can take USB-C, Thunderbolt, HDMI, DisplayPort, an IEEE1394 descendant, and a smart, two-way charging protocol, and have it just plain work. Let the devices figure out if they need to use a USB style tree configuration, a Thunderbolt or IEEE 1394 daisy chain, a direct negotiation for HDCP video, or just a direct connect to figure what device had power, what was requesting, and negotiate from there.
Other than the power aspect, maybe the next "universal" connector should be one with wires for power, as well as two fiber optic leads, and have this done in an idiot-resistant, high insertion/removal cycle connector. From there, devices can negotiate what protocol to use over the glass, and how power flows.
From what I have read, btrfs is stable if used in a RAID 1 configuration. However, it seems that RAID 5... is a completely different story altogether. I'm sure it has gotten better, but as of now, I've not read anything about catastrophic data loss on anything but striped arrays.
Given that it appears to be stable, btrfs does have a few advantages, mainly being able to handle bit rot, as well as snapshots (which are definitely not backups, but they are another tool to help prevent data loss.)
If btrfs is a concern, one can run without it. The less expensive ARM based units don't have it as an option, but they do offer RAID (assuming a more than single drive model.)
All and all, NAS appliances have their use. Especially with offloading stuff that would take up resources on an active machine or VM. For example, having the appliance handle basic Git repositories is nice, as well as DNS caching.
As others have said, 4TB isn't that much. The key is to have a 3-2-1 plan for the data -- 3+ copies, 2 on different media, one offsite:
First, I'd recommend purchasing a NAS appliance. Synology and QNAP offerings are inexpensive and even though one can build their own system with FreeNAS or something else, a small NAS appliance takes up relatively little in wattage, which is nice for the electric bill. I also like the fact that you have the ability to encrypt data, and segment it into shares. Some NAS models even allow for snapshots. They are not too expensive -- an ARM based dual-drive NAS is about $150 + drives.
For four terabytes, I would recommend a Synology DS216+ ii (the reason for the long name is that the DS216+ had components which were discontinued, so the mark 2 edition is current. This NAS model is x86 based and can use btrfs to detect bit rot on the RAID volumes) Then, drop in two WD Reds (6 or 8 TB), and you have RAID 1.
Second, buy an external USB drive to plug to the NAS. RAID and snapshots are nice, but this provides a true backup mechanism.
Third, get an offsite backup mechanism. QNAP and Synology have software that can back up to a number of providers, and back stuff up encrypted. There are many offsite backup providers out there.
Fourth, consider a manual offsite mechanism, even if it is another external hard drive that you plug in, dump the contents of the NAS to, remove, and put offsite somewhere. This way, if you lose your NAS and Net connection, you still have some means to access your data.
I have a stack of CD-Rs I burned back in 1996 which are still readable, and I pulled a file for a MMO from some CDs I made back in 2000. The info is obsolete, but it is still present on the media. The trick back then was to run Linux and cdrecord, with as few items running in the background as possible, just to ensure there would be no buffer underruns since there wasn't any protection against that back then.
I would say it really depends on the media for archival life. Some optical media is junk, other media will last for a very long time.
The ironic thing is that Canon used to offer a 50mm, EOS f1.0 lens. It is a monstrosity, but for getting shots in low light, it was unbeatable. I wish they still made such a thing, but I guess it probably didn't sell well. It would be nice though.
Similar with Nikon's 2000mm telephoto lens that was sold for a bit and then discontinued.
I really don't want a unified OS. With the requirements by carriers, device makers, and governments, any cellphone OS will be locked down to keep the user out, while letting in plenty of remote attacks, be it the local country's LEOs, advertisers, or whatnot. I want my desktop OS to remain open, not rendered into some iOS variant where someone else controls my workflow, interaction with apps, ability to use hardware, and physical security of data.
At the _minimum_ a source code escrow service, so if a contract is left unfinished or a business files for bankruptcy, the work made can be picked up by others and things continued. If I were paying someone megabucks to write up something, either the source code will be part of the contract, or it will be escrowed so that one party doesn't have a monopoly.
I've seen a ton of sites do that. Makes the advertisers happy, but pisses off everyone else.
On social media, if I find something like that, if I care to wait through it, I summarize and write a brief transcript, then tell people to be happy that I saved them 30 minutes for one paragraph of text.
I hope CyanogenMod continues. Combined with Nova Launcher and some other apps, it makes a very stable, decent platform for day to day use, and a phone upgrade (assuming it has an unlockable bootloader) doesn't mean a UI change.
The alternatives are "meh". At best, I there are people in the XDA forums who are top tier ROM chefs, making something custom that helps a device work quite well, but this can vary on device and how popular (or not) it might be. Most likely it might be a factory ROM, rooted, and debloated, but I'd rather have something built right from the ground up.
I have seen some add-on security products for both MS-DOS and early Macs (pre OS X) that were pretty good, and were more than just separating users.
The most notable was a product by Casady & Greene called A. M. E., or Access Managed Environment. It allowed for hierarchal management of users where only the top admins could see peers of each other, and everyone else could only see who was lower in the hierarchy. Each permission had a setting of not just allowing or disallowing, but allowing the downstream user to allow their downstream users to set that. It also had very good encryption for its time (DES on the disk, folders, and individual files), as well as the ability to add code to copy-protect or otherwise restrict executing of applications (these were well before the days of signed applications, even applications that checked their own resources for integrity.) It even had features controlling lockout of a user, not just exponential timeouts, but for a very sensitive user, would go and erase files flagged as "sensitive", which ensured a brute force, even if successful, attack would not bring much. It even brought to the table 2FA by giving the option that a user must insert a floppy disk with a nonce file on it, as well as entering their password.
Of course, there was logging, and virtually every action could be set to be placed in an audit log.
Of course, today's user management has replaced the security programs that sat on top of single user, cooperative multi-tasking operating systems, but it is interesting to see how this was added on.
The thing about something like this, it appears to be less intended to replace existing delivery mechanisms, but be more of a means to convey a threat than anything else. If tensions get high, Russia can launch a number of these into orbit, similar to how in a situation where a handgun is pressed to someone else's face, the person holding the gun would pull the hammer back on their revolver to show they mean business, even though a single action pull on the trigger will do the same as cocking the hammer and firing.
Realistically, how dangerous is it? For this purpose, it is an excellent propaganda vehicle. However, I suspect these have multiple purposes, perhaps being able to launch/maintain satellites or other military purposes.
The ironic thing is that these "nuke shuttles" might not be all bad. It might be that they wind up being one of the few craft that can fix research satellites when in orbit, due to the decommissioning of the US shuttle fleet.
The thing about theater is the low tech element and the interactivity. It also is a type of acting that is harder than movies. Theater has no retakes, no bloopers. Once a show starts, there are no directors shouting "cut!"... the show runs until it finishes.
Same reason why renaissance faires are popular. Not everyone wants to channel all their entertainment time by using a device.
It can be odd how places hire. Last year, I had a job interview with a firm where the skinny jeans, white earbuds, full beard and the shaved side haircut was pretty much the standard with everyone in the building. When the interviewer asked me when I was going to grow a full mane to fit in to their team, I knew that my chances of getting the job was nil... so, my response was "because gas masks don't seal over facial hair."
Some tech companies hire on things nothing related to actual competency.
I would disagree for the most part. The only real gain we have had would be plain English search engines like Google.
Twitter? That's what IRC is for. Someone's wall? That is what a.plan file is for and finger. A blog? Web page. Local stuff? NNTP groups. Stuff worldwide? More NNTP groups. Pr0n? alt.sex.cthulhu
Social networks don't give much other than being one place with a consistant UI. Even worse, unlike USENET where even if someone is a total asshole, their voice is read until people stuff them in the killfile, private social networks have free reign to allow or stifle discussions as they see fit, to the point of trying to affect elections.
Oh, can't forget ads. Before Eternal September, websites had no problem existing without requiring full page, Flash ads which often served up malvertising. Now, so many site owners wring their hands when someone security-minded uses an ad blocker (other than Trojans, malvertising is the #1 source of infections, so it is a matter of security not freeloading.)
tl;dr, there really have not been that many advances since Eternal September that have been actual groundbreaking items. Search engines and analytics coupled with Big Data is the only thing. Everything else is just reinventing the wheel to treat subscribers as the product.
With browser fingerprinting (check it out on EFF's Panopticlick), it really doesn't matter if you use Tor or not.
What I do if I want a stateless session is vagrant up a virtual machine, have it provisioned with a web browser, usual ad blocker software, my bookmarks as a clicky HTML file locally, and use that. When done, destroy the VM. This way, any changes or stuff saved to the VM are toast, and there will always be a different fingerprint every session.
As for protecting my IP, I just use a VPN service. For me a simple proxy is good enough so that ad companies and behavior tracking sites are blocked/stymied.
Agreed. Automation is great, but if the product suffers, what is the point? I have wound up just going to local bakeries for their specials. Their pastries may not survive a direct nuclear hit like Twinkies or Peeps and emerge intact, but they are likely a lot better for you, and taste a lot better to boot.
I bought a pack last January, and they had zero flavor or taste. Yes, the texture and color are the same, but I might as well be putting paper on my tongue. Oh well, there are better desserts these days, especially from local bakeries.
Problem is, if you ask a lot of companies why they don't bother with backups or security, you will get an answer along the lines of "security has no ROI", "nobody has made a cent from padlocks except the padlock maker", or something along those lines.
Then they get stung, and what happens is that some worker bee gets blamed for everything, shitcanned, some "security measure" is taken like forcing all AD users to change their password, and life goes on.
Bingo. NAS offerings are relatively cheap. Both Synology and QNAP offer both snapshot functionality (useful because someone can cd into the snapshot directory to get their pre-fucked files), as well as backups to external drives, other NAS offerings, or the cloud (encrypted on the client, of course.)
Then, add a decent backup program like Veeam for Windows which has the ability to mount a share only when it is using it, to narrow down the window that ransomware can trash it, and this not just functions as a backup, but fits the 3-2-1 rule (three copies, two on separate media, one offsite.) I personally like using two backup programs, one for the whole box like Veeam or Time Machine, and one just for documents like Arq.
Meh, I'm not so attached to an OS that I'd put my life on the line for it. Classic Shell helps make it more usable, and it does come with some security improvements.
As for Windows OS of choice, if I did have to upgrade, I'd go with Windows Server 2016 when it goes GA. Windows Server 2012 R2 works quite well as a gaming platform, and it ships with everything disabled. Want desktop stuff, you can turn it on after installation. As an added bonus, wbadmin isn't the crippled, worthless version that is found in client editions of Windows, and is useful for a day to day backup utility if one didn't want to run Veeam.
The key is narrowing the avenues of attack. An offline laptop that is used with a SD card narrows down the avenues of attack to Stuxnet/black bag attacks, especially if the RF antenna is physically removed. Yes, someone can hit my computer with a keylogger, but that is a direct attack. Someone cornholing an app that does its own encryption and compromising it is a lot easier and done on a far wider scale than someone who is able to attack a program that only runs on endpoints as well as the transport system.
This is why you use endpoint encryption like an OpenPGP utility (gpg, openpgp, apg, Symantec's SED, etc.) Then, the transport encryption doesn't matter as much. Ideally, the computer with the keys is offline and some means like a SD card is used to transfer data back and forth.
At the minimum, having endpoint encryption separate means that a bad guy has to compromise two completely different utilities that function in completely different ways.
This isn't a 100% secure method, as OpenPGP doesn't offer PFS, but it does ensure that data is protected with more than just "trust us, we encrypt stuff" promises.
Slashdot Mirror
The criminals are virtually untouchable:
1: They are likely in countries of the world that have zero interest in turning them over for justice. In fact, they may be regarded as folk heroes or equivalents of Robin Hood, taking money from corporations or countries and bringing it to the region.
2: They are likely using employees to do the dirty work, with plenty of anonymity between them and the higher ups.
3: Malware can be traced, and a lot of people suggest origin, but code can be edited and spread anywhere in the world, so code that originally came from Latveria can be used and abused by people from Lower Elbonia, and if distribution is done, the whitehats may never know the real origin.
4: Compromising an endpoint isn't too difficult these days. If someone hacks a wi-fi router and compromises a home computer, all it takes is deleting the offending stuff securely, and that becomes a dead end.
5: For every one criminal, there are others behind them.
6: LEOs have many cases on their hands. It might be doubtful they may have the resources to handle anything but the big names, so chasing after every bad guy would be about as fruitful as chasing every pot smoker in the US.
Going after criminals is nice, but that is a game of whack-a-mole. Unfortunately, computer security is a defensive war, but there are useful tools on the whitehat end which can help mitigate attacks.
Long term, it may not be something is wanted in any shape or form, but I think what may end up happening is that countries themselves will demand control of the routers that go from one nation to another and enforce rules there. China has that, Iran is building it, and other countries are looking into blocking at their virtual borders, just like physical borders. It might be a token thing now, but as time goes on and money is put into it, it may become something all countries have in place, just so another country that has IP ranges that are hotspots for attack are blocked there, so every single Internet entity in the nation wouldn't have to deal with them.
That is a downer.
I've thought the ideal would be something that can take USB-C, Thunderbolt, HDMI, DisplayPort, an IEEE1394 descendant, and a smart, two-way charging protocol, and have it just plain work. Let the devices figure out if they need to use a USB style tree configuration, a Thunderbolt or IEEE 1394 daisy chain, a direct negotiation for HDCP video, or just a direct connect to figure what device had power, what was requesting, and negotiate from there.
Other than the power aspect, maybe the next "universal" connector should be one with wires for power, as well as two fiber optic leads, and have this done in an idiot-resistant, high insertion/removal cycle connector. From there, devices can negotiate what protocol to use over the glass, and how power flows.
From what I have read, btrfs is stable if used in a RAID 1 configuration. However, it seems that RAID 5... is a completely different story altogether. I'm sure it has gotten better, but as of now, I've not read anything about catastrophic data loss on anything but striped arrays.
Given that it appears to be stable, btrfs does have a few advantages, mainly being able to handle bit rot, as well as snapshots (which are definitely not backups, but they are another tool to help prevent data loss.)
If btrfs is a concern, one can run without it. The less expensive ARM based units don't have it as an option, but they do offer RAID (assuming a more than single drive model.)
All and all, NAS appliances have their use. Especially with offloading stuff that would take up resources on an active machine or VM. For example, having the appliance handle basic Git repositories is nice, as well as DNS caching.
As others have said, 4TB isn't that much. The key is to have a 3-2-1 plan for the data -- 3+ copies, 2 on different media, one offsite:
First, I'd recommend purchasing a NAS appliance. Synology and QNAP offerings are inexpensive and even though one can build their own system with FreeNAS or something else, a small NAS appliance takes up relatively little in wattage, which is nice for the electric bill. I also like the fact that you have the ability to encrypt data, and segment it into shares. Some NAS models even allow for snapshots. They are not too expensive -- an ARM based dual-drive NAS is about $150 + drives.
For four terabytes, I would recommend a Synology DS216+ ii (the reason for the long name is that the DS216+ had components which were discontinued, so the mark 2 edition is current. This NAS model is x86 based and can use btrfs to detect bit rot on the RAID volumes) Then, drop in two WD Reds (6 or 8 TB), and you have RAID 1.
Second, buy an external USB drive to plug to the NAS. RAID and snapshots are nice, but this provides a true backup mechanism.
Third, get an offsite backup mechanism. QNAP and Synology have software that can back up to a number of providers, and back stuff up encrypted. There are many offsite backup providers out there.
Fourth, consider a manual offsite mechanism, even if it is another external hard drive that you plug in, dump the contents of the NAS to, remove, and put offsite somewhere. This way, if you lose your NAS and Net connection, you still have some means to access your data.
I have a stack of CD-Rs I burned back in 1996 which are still readable, and I pulled a file for a MMO from some CDs I made back in 2000. The info is obsolete, but it is still present on the media. The trick back then was to run Linux and cdrecord, with as few items running in the background as possible, just to ensure there would be no buffer underruns since there wasn't any protection against that back then.
I would say it really depends on the media for archival life. Some optical media is junk, other media will last for a very long time.
The ironic thing is that Canon used to offer a 50mm, EOS f1.0 lens. It is a monstrosity, but for getting shots in low light, it was unbeatable. I wish they still made such a thing, but I guess it probably didn't sell well. It would be nice though.
Similar with Nikon's 2000mm telephoto lens that was sold for a bit and then discontinued.
They actually trade with someone other than basic stuff with China?
I really don't want a unified OS. With the requirements by carriers, device makers, and governments, any cellphone OS will be locked down to keep the user out, while letting in plenty of remote attacks, be it the local country's LEOs, advertisers, or whatnot. I want my desktop OS to remain open, not rendered into some iOS variant where someone else controls my workflow, interaction with apps, ability to use hardware, and physical security of data.
At the _minimum_ a source code escrow service, so if a contract is left unfinished or a business files for bankruptcy, the work made can be picked up by others and things continued. If I were paying someone megabucks to write up something, either the source code will be part of the contract, or it will be escrowed so that one party doesn't have a monopoly.
I've seen a ton of sites do that. Makes the advertisers happy, but pisses off everyone else.
On social media, if I find something like that, if I care to wait through it, I summarize and write a brief transcript, then tell people to be happy that I saved them 30 minutes for one paragraph of text.
I hope CyanogenMod continues. Combined with Nova Launcher and some other apps, it makes a very stable, decent platform for day to day use, and a phone upgrade (assuming it has an unlockable bootloader) doesn't mean a UI change.
The alternatives are "meh". At best, I there are people in the XDA forums who are top tier ROM chefs, making something custom that helps a device work quite well, but this can vary on device and how popular (or not) it might be. Most likely it might be a factory ROM, rooted, and debloated, but I'd rather have something built right from the ground up.
I have seen some add-on security products for both MS-DOS and early Macs (pre OS X) that were pretty good, and were more than just separating users.
The most notable was a product by Casady & Greene called A. M. E., or Access Managed Environment. It allowed for hierarchal management of users where only the top admins could see peers of each other, and everyone else could only see who was lower in the hierarchy. Each permission had a setting of not just allowing or disallowing, but allowing the downstream user to allow their downstream users to set that. It also had very good encryption for its time (DES on the disk, folders, and individual files), as well as the ability to add code to copy-protect or otherwise restrict executing of applications (these were well before the days of signed applications, even applications that checked their own resources for integrity.) It even had features controlling lockout of a user, not just exponential timeouts, but for a very sensitive user, would go and erase files flagged as "sensitive", which ensured a brute force, even if successful, attack would not bring much. It even brought to the table 2FA by giving the option that a user must insert a floppy disk with a nonce file on it, as well as entering their password.
Of course, there was logging, and virtually every action could be set to be placed in an audit log.
Of course, today's user management has replaced the security programs that sat on top of single user, cooperative multi-tasking operating systems, but it is interesting to see how this was added on.
The thing about something like this, it appears to be less intended to replace existing delivery mechanisms, but be more of a means to convey a threat than anything else. If tensions get high, Russia can launch a number of these into orbit, similar to how in a situation where a handgun is pressed to someone else's face, the person holding the gun would pull the hammer back on their revolver to show they mean business, even though a single action pull on the trigger will do the same as cocking the hammer and firing.
Realistically, how dangerous is it? For this purpose, it is an excellent propaganda vehicle. However, I suspect these have multiple purposes, perhaps being able to launch/maintain satellites or other military purposes.
The ironic thing is that these "nuke shuttles" might not be all bad. It might be that they wind up being one of the few craft that can fix research satellites when in orbit, due to the decommissioning of the US shuttle fleet.
The thing about theater is the low tech element and the interactivity. It also is a type of acting that is harder than movies. Theater has no retakes, no bloopers. Once a show starts, there are no directors shouting "cut!"... the show runs until it finishes.
Same reason why renaissance faires are popular. Not everyone wants to channel all their entertainment time by using a device.
It can be odd how places hire. Last year, I had a job interview with a firm where the skinny jeans, white earbuds, full beard and the shaved side haircut was pretty much the standard with everyone in the building. When the interviewer asked me when I was going to grow a full mane to fit in to their team, I knew that my chances of getting the job was nil... so, my response was "because gas masks don't seal over facial hair."
Some tech companies hire on things nothing related to actual competency.
I would disagree for the most part. The only real gain we have had would be plain English search engines like Google.
Twitter? That's what IRC is for. .plan file is for and finger.
Someone's wall? That is what a
A blog? Web page.
Local stuff? NNTP groups.
Stuff worldwide? More NNTP groups.
Pr0n? alt.sex.cthulhu
Social networks don't give much other than being one place with a consistant UI. Even worse, unlike USENET where even if someone is a total asshole, their voice is read until people stuff them in the killfile, private social networks have free reign to allow or stifle discussions as they see fit, to the point of trying to affect elections.
Oh, can't forget ads. Before Eternal September, websites had no problem existing without requiring full page, Flash ads which often served up malvertising. Now, so many site owners wring their hands when someone security-minded uses an ad blocker (other than Trojans, malvertising is the #1 source of infections, so it is a matter of security not freeloading.)
tl;dr, there really have not been that many advances since Eternal September that have been actual groundbreaking items. Search engines and analytics coupled with Big Data is the only thing. Everything else is just reinventing the wheel to treat subscribers as the product.
With browser fingerprinting (check it out on EFF's Panopticlick), it really doesn't matter if you use Tor or not.
What I do if I want a stateless session is vagrant up a virtual machine, have it provisioned with a web browser, usual ad blocker software, my bookmarks as a clicky HTML file locally, and use that. When done, destroy the VM. This way, any changes or stuff saved to the VM are toast, and there will always be a different fingerprint every session.
As for protecting my IP, I just use a VPN service. For me a simple proxy is good enough so that ad companies and behavior tracking sites are blocked/stymied.
Agreed. Automation is great, but if the product suffers, what is the point? I have wound up just going to local bakeries for their specials. Their pastries may not survive a direct nuclear hit like Twinkies or Peeps and emerge intact, but they are likely a lot better for you, and taste a lot better to boot.
I bought a pack last January, and they had zero flavor or taste. Yes, the texture and color are the same, but I might as well be putting paper on my tongue. Oh well, there are better desserts these days, especially from local bakeries.
Problem is, if you ask a lot of companies why they don't bother with backups or security, you will get an answer along the lines of "security has no ROI", "nobody has made a cent from padlocks except the padlock maker", or something along those lines.
Then they get stung, and what happens is that some worker bee gets blamed for everything, shitcanned, some "security measure" is taken like forcing all AD users to change their password, and life goes on.
Bingo. NAS offerings are relatively cheap. Both Synology and QNAP offer both snapshot functionality (useful because someone can cd into the snapshot directory to get their pre-fucked files), as well as backups to external drives, other NAS offerings, or the cloud (encrypted on the client, of course.)
Then, add a decent backup program like Veeam for Windows which has the ability to mount a share only when it is using it, to narrow down the window that ransomware can trash it, and this not just functions as a backup, but fits the 3-2-1 rule (three copies, two on separate media, one offsite.) I personally like using two backup programs, one for the whole box like Veeam or Time Machine, and one just for documents like Arq.
Final form, perhaps?
Meh, I'm not so attached to an OS that I'd put my life on the line for it. Classic Shell helps make it more usable, and it does come with some security improvements.
As for Windows OS of choice, if I did have to upgrade, I'd go with Windows Server 2016 when it goes GA. Windows Server 2012 R2 works quite well as a gaming platform, and it ships with everything disabled. Want desktop stuff, you can turn it on after installation. As an added bonus, wbadmin isn't the crippled, worthless version that is found in client editions of Windows, and is useful for a day to day backup utility if one didn't want to run Veeam.
The key is narrowing the avenues of attack. An offline laptop that is used with a SD card narrows down the avenues of attack to Stuxnet/black bag attacks, especially if the RF antenna is physically removed. Yes, someone can hit my computer with a keylogger, but that is a direct attack. Someone cornholing an app that does its own encryption and compromising it is a lot easier and done on a far wider scale than someone who is able to attack a program that only runs on endpoints as well as the transport system.
This is why you use endpoint encryption like an OpenPGP utility (gpg, openpgp, apg, Symantec's SED, etc.) Then, the transport encryption doesn't matter as much. Ideally, the computer with the keys is offline and some means like a SD card is used to transfer data back and forth.
At the minimum, having endpoint encryption separate means that a bad guy has to compromise two completely different utilities that function in completely different ways.
This isn't a 100% secure method, as OpenPGP doesn't offer PFS, but it does ensure that data is protected with more than just "trust us, we encrypt stuff" promises.