Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:02
Two and a half admins episode 181. I'm Joe. I'm
0:05
Jim. And I'm Helen. And
0:07
here we are again. IT
0:09
consultant in Germany fined for exposing
0:11
shoddy security. This actually reminds
0:13
me of some of the early DMCA cases
0:15
back in the 90s when
0:18
newspapers would put just
0:20
completely unsecured visual basic
0:22
access applications out on the web and somebody
0:24
would discover it and poke around at it
0:27
and be like, Hey, did you mean to
0:29
do this? Cause like I could post articles
0:31
if I wanted to. And then the newspaper
0:33
immediately calls the cops and tries to soothe,
0:35
you know, the person for being an OMG
0:38
evil hacker. So this
0:41
is essentially the same
0:43
story again. This security
0:46
consultant found a password that
0:48
was just baked in clear
0:50
text right into an executable. The
0:52
password was to a publicly accessible
0:54
database application. And so he used
0:58
it to see what was there in the
1:00
course of research. And he notified to the
1:02
company, you know, Hey, anybody
1:04
can literally just see that password,
1:07
your database in the application and
1:09
can use it to log on and see
1:11
all of this data in the database. That's
1:13
a bad thing. So of course they decide,
1:16
well, this is the bad guy right here. And let's
1:18
throw him under the bus. You can see
1:21
how this would have happened 20, 25 years ago, but
1:23
how the hell is this happening now? Well,
1:25
do you think judges are that much more
1:27
IT aware than they were then?
1:30
Maybe not judges, but surely some
1:33
of the police and The police? Are
1:35
you kidding me? I mean, I was
1:38
expecting you to make that comment about
1:40
like, you know, a middle manager or,
1:42
you know, corporate brass type who initiated
1:44
the legal proceedings and say, shouldn't they
1:46
know better? And the answer to that
1:49
question is yes, they should know better now than they did 20,
1:51
25 years ago. They might still not like no,
1:54
no, but they should know a lot better. But
1:56
what hasn't changed in the intervening 20 to 25 years.
2:00
is the impulse to just be done with the
2:02
thing. Like, a bad thing happened,
2:04
I'm pissed off about it, and here is
2:06
somebody that I can excusably
2:08
use to vent my ire upon.
2:11
And that's all some people need.
2:14
Now, as to the question of why this would
2:16
happen in the courts, the answer
2:18
there is, as far as I
2:20
can tell, from looking at what the article had
2:23
to say, it looks like it's a basic and
2:25
not really IT-related legal screw-up.
2:28
When assertions were made about whether or
2:31
not a plaintext
2:33
password baked directly into an executable,
2:35
and an executable reminds you that not
2:37
only the customers had access to, but
2:39
anybody could download this executable directly
2:42
from the company. With no prior association
2:44
to the company, they could download it,
2:46
and doing so would give them access
2:48
to this password that's, again, embedded in
2:50
plaintext inside the executable. So,
2:52
when the plaintiff made
2:55
the case that this
2:57
does not qualify for protections because
3:00
this was a secured secret – I forget
3:02
what the translated German legal verbiage is, but
3:04
essentially, the law in question says that it's
3:07
not hacking if it wasn't secured in the
3:09
first place. It's basically what it boils down
3:11
to. And when the
3:14
plaintiff said that this was evil
3:16
hacking because the password was the
3:18
security thing, and they bypassed the
3:20
password, what should have happened
3:22
is the defendant should have called an expert
3:25
in to testify, and the expert would inform
3:27
the judge, no, this
3:29
does not qualify as a protected
3:31
secret under this statute because X,
3:33
Y, and Z. That
3:35
part didn't happen, and without bringing in the
3:38
expert to challenge the statement that was made
3:40
by the plaintiff, well, if it makes
3:42
sense to the judge, it rolls right on through. And
3:45
part of this is the defendant is
3:47
looking at 3,000 euro fine, and if he's
3:50
going to spend that between the lawyer and
3:52
the expert to defeat it, it maybe doesn't
3:54
make sense. I believe Germany is at winner-takes-all
3:56
court system, though. That's a good point. I
4:00
recall, if you lose, you got to pay
4:02
the, uh, you got to pay the Victor's
4:04
court costs. But I think the other part
4:06
there is to people who are the types
4:08
that don't listen to this podcast, opening
4:11
up an executable file that's in binary
4:13
and finding plain text strings in it,
4:15
beside the fact that people know how to use
4:17
the strings command is just
4:20
as much hacking as anything else.
4:22
Then not that that's correct, but
4:24
basically if they don't understand how
4:26
it works, then it's magic and they can say
4:29
it was hacking. And that's a really
4:31
big part of the problem here. The
4:33
police sees the guy's computers because the
4:35
company claimed that he could only have
4:37
gotten this password through insider knowledge because,
4:39
you know, it's a secret inside
4:41
their company. And I guess they don't realize that.
4:44
Yeah. And you baked it into the executable and
4:46
put it up on your website for anybody to
4:48
download. If you're not familiar with that command that
4:50
Alan just mentioned is like a one
4:52
off there strings, literally you can just type
4:54
strings and, you know, the executable file and
4:56
it will look for plain text in there
4:59
and tell you all the little bits of,
5:01
you know, plain text they could find. It
5:04
is not a difficult procedure. No, that
5:06
sounds like pretty extreme hacking to me,
5:08
Jim. Well, it sounds like this guy
5:10
didn't even use a tool like that.
5:12
He literally opened the executable in a
5:14
text editor. Now, he probably would
5:16
have had a reason to start there, but
5:19
that's maybe beside the point. But yeah, so
5:21
the string command is available on, you know,
5:23
BSD and Linux and so on. By default,
5:25
I think finds any string of eight or
5:27
more printable characters in a row. And
5:30
so you can run it on, you know,
5:32
a tar file or an executable or anything
5:34
and it'll just find any globs
5:37
of human readable text and spit
5:39
them out for you. I've used
5:41
it in the past to do something very similar
5:43
to find passwords hidden in flash SWF files
5:46
for video streaming back in the day when they'd have
5:48
a video stream where the URL was protected by a
5:51
secret. But the secret was baked into the
5:53
flash player. And if you knew how to use the strings
5:55
command, you should get the raw feed of the video. And
5:58
I'm sure to everyone else that was. magic
6:00
super elite hacking rather than I ran
6:05
the strings command and found the thing that
6:07
was obviously two English words
6:09
stuck together that I would guess was
6:11
the password and oh yep that was the password. Yeah
6:13
but so a lot of people using nmap as hacking. Yeah.
6:15
And those people
6:18
should not be consulted on their opinions of
6:21
what is or is not hacking and much the same
6:23
reason you really shouldn't ask me what it feels like
6:25
when the baby kicks at six
6:27
and a half months. Ask somebody who
6:29
does. Canadian
6:31
man stuck in triangle of e-commerce fraud.
6:33
This is a kind of a complicated
6:36
one and it doesn't work
6:38
if you don't understand how the scam
6:40
works. This triangle e-commerce fraud
6:43
that we're talking about initially looks a lot like
6:45
a standard drop shipping scam. Now you're probably familiar
6:47
with drop shipping scams. That's where somebody finds
6:50
a product they think that lots of people will want
6:52
that's available for anybody
6:54
to buy and then rather than telling everybody
6:56
hey go buy this thing from here they
6:59
instead set up their own e-commerce site
7:01
and they say you can buy this
7:03
thing from me. Only they don't have
7:05
the thing. They just drop ship directly
7:08
from the actual vendor to you and charge you
7:10
more money that it costs them to buy it.
7:13
So that's usually not illegal but it's
7:15
obviously a grift in the same way that
7:18
scalping tickets for concert would be. You're unnecessarily
7:20
inserting yourself somewhere as a middleman who provides
7:23
no actual value but just extracts
7:25
lucre. However that's
7:27
not quite what was going on
7:30
here. What happened for this
7:32
triangle of fraud is you had one
7:35
attacker and two victims. The
7:37
attacker first gets access to either
7:40
a credit card or a retail
7:43
login you know like at Walmart or Amazon or
7:45
what have you from victim number
7:47
one and then puts
7:49
up again you know it's it's the whole
7:51
like we're just gonna do the drop ship
7:53
thing. You either put up an e-commerce site
7:55
or in this case you just list things
7:57
for sale on Amazon yourself. But
8:00
rather than you actually having those things, you're
8:02
still just doing the drop shipping scam. The
8:04
only thing is, you're not
8:06
buying the original thing that you drop
8:08
stripped straight from the original vendor. You're
8:11
using victim number one's money to buy that
8:13
thing and ship it to victim number two.
8:15
So then what happens is, it looks like victim
8:18
number two is the one who's been stealing from
8:20
victim number one when it was really you all
8:22
the way along. Victim number two
8:24
was just looking for a place to
8:26
buy the thing, found your listing, and
8:28
bought it theoretically from you, and
8:31
you used a stolen credit card or
8:33
login to get those things shipped to
8:35
that victim. So this is what
8:37
happened, and understanding that, let's talk about the
8:39
actual case and the way
8:41
that the Canadian cops responded to it,
8:43
which was horrible. So
8:45
yeah, what seems to be the biggest
8:48
part of the problem here is that
8:50
when the police, in this case, the
8:52
RCMP, because this took place in rural
8:55
Alberta, which doesn't have its own police,
8:57
and so they contract the federal police
8:59
to police locally, they got a
9:01
complaint from victim number one in Ontario saying,
9:03
somebody hacked my Walmart account and bought a
9:05
whole bunch of stuff and had it shipped
9:07
themselves in Alberta using my credit
9:10
card, and they're stealing from me. And so they
9:12
get this report with an address of where the
9:14
stuff was shipped, and they go there and it's
9:16
like, hey, why did you steal all this stuff?
9:20
And the guy's like, what do you mean? I bought
9:22
this legitimately off Amazon. He's like, well, why does it
9:24
say Walmart on the box? He's like, I don't know.
9:26
And he genuinely did not know because why would he?
9:28
Because he bought a thing on Amazon, and the thing
9:31
showed up exactly as it should and in
9:33
the timeframe that it should. And
9:36
you kind of have to really be paying attention
9:38
to it. It's like, oh, hey, the exact items
9:40
that I ordered showed up exactly when they should,
9:42
but they showed up from the wrong vendor. And
9:44
with somebody else's phone number on the shipping level,
9:46
but my address. But it was
9:48
further complicated by the fact that actually this stuff
9:50
was a little late in getting there, and so
9:52
the guy wasn't home. He was actually on the
9:54
other side of the country for work, and
9:57
so police were like, yeah, you've got to come down to
9:59
our office. here and talk to us and say, well,
10:01
I'm on the other side of the country right now. I'll be
10:04
home in like a week. And as their
10:06
investigation went on, and they think this guy is like
10:08
dodging them, they get really
10:10
nasty about it, totally unnecessarily.
10:13
And as the guy is trying to consult
10:15
a lawyer about it, they're like, yeah, you
10:17
know, we're going to become a rescue and
10:19
making almost threatening statements. Not
10:22
almost threatening. They very specifically threatened to
10:24
break down his door, inquired
10:26
him about where his wife was
10:28
and what her itinerary was. And
10:30
just, it's a
10:32
classic and very familiar case of just
10:35
police intimidation. You know, the cops decide
10:37
they've got the bad guy, and therefore,
10:39
they are by God going to make him
10:42
regret the day he was born. And that's
10:44
one thing when you do actually have the
10:46
bad guy, but that's why it turns out
10:49
the cops are only supposed to investigate. They
10:51
are not the judge, the jury, or the
10:53
executioner, ideally. They're not even
10:55
supposed to determine guilt, right? That's for the courts, not the
10:57
police. Ah, but
10:59
that's where it gets even worse, because it
11:01
turns out in Canada, even the court isn't
11:03
actually who determines your guilt in one sense.
11:06
So our victim number two here, Travis
11:08
Barker, the guy who is in rural
11:11
Alberta, he now has the issue
11:13
that he is unable to find work because
11:15
he has a criminal record. Where
11:18
he is, your criminal record, is not a
11:20
record of your convictions. It's a record
11:22
of your charges. And
11:24
as it finally started becoming clear that
11:26
maybe this case was a little bit
11:28
more complicated than they thought initially, the
11:31
RCMP simply declined to prosecute. Now,
11:33
they didn't clear the charges. That
11:35
wouldn't be the RCMP. That would
11:38
have been the Crown Prosecutor. Yes,
11:40
they stayed the proceedings, so they just kind
11:42
of put pause on the case. We could still
11:45
come back and charge you later, but we're not charging you right
11:47
now. But the charge is
11:49
still listed on this public record.
11:51
That is what employers have access
11:53
to look at. They don't get
11:55
very much information, and so it makes it
11:57
hard to tell the difference between their There's
12:00
this case pending and someone's
12:02
actually been found guilty of something. It's
12:04
not that often that I look at
12:06
my northern border and think, well, thank
12:08
God I'm not on that side of
12:10
the line. But that's terrifying, the idea
12:12
that charges are treated the
12:15
way convictions are down here. Like, if
12:17
it worked that way down here with the way our
12:19
cops act, like, we'd all be in jail, every
12:22
last one of us. ICANN
12:25
proposes creating .internal
12:27
domain. It's sort
12:29
of like private subnets, non-routable
12:31
private subnets like 192.168 or 10. But
12:36
for DNS, the idea here
12:38
is that if you've got a
12:41
purely internal bogus TLD
12:43
essentially that you want to use, it should
12:46
be .internal. The
12:48
big thing that you get out of this is
12:50
if you were to create a purely private domain
12:53
that ends in .internal for its TLD,
12:55
then queries to that domain will not
12:57
go out to the root servers of
12:59
the internet even if they escape your
13:01
local network. Because every
13:04
other DNS server understands, oh,
13:06
this is not something that I should try
13:08
to resolve in much the same way that
13:10
every router out there understands, oh,
13:13
no, I should not be trying to route
13:15
packets to 192.168.0.whatever. Yeah.
13:18
Yeah, we've seen lots of proposals of
13:21
this like .land, all kinds of things.
13:24
It's good to finally see something happening.
13:27
Why it took so long is an interesting
13:29
question. After years of
13:31
debate, ICANN has narrowed down to .private
13:33
and .internal, but decided on .internal for
13:35
kind of similar reasons we talked about
13:38
a couple of episodes ago with private
13:40
browsing mode. They didn't want
13:42
to give the implication to people that this will
13:44
somehow protect privacy because it won't. It's just this
13:46
means that this thing is not meant to be
13:49
routed to the internet and so
13:51
.internal was chosen. Okay,
13:54
this episode is sponsored by people who
13:56
support us with PayPal and Patreon. Go
13:58
to 2.5admins.com. for
14:00
details of how you can support us
14:03
too. 2.5 Admins is part
14:05
of the Late Night Linux family, which means that for $10
14:07
a month on Patreon you get
14:09
access to an RSS feed that contains
14:11
all the Late Night Linux family shows
14:13
without adverts like this. There's also
14:15
an option to get Just This Show ad free for
14:17
$5 a month if you prefer. Some
14:20
of the episodes are even released a day or
14:22
so early for Patreon supporters. So,
14:24
if you like what we do and can afford it,
14:26
it would be great if you could support us at
14:28
2.5admins.com. Let's
14:32
do some free consulting then, but first just a quick
14:34
thank you to everyone who supports us with PayPal and
14:36
Patreon. We really do appreciate that. If you
14:38
want to join those people you can go to 2.5admins.com. And
14:42
remember that for various amounts on Patreon you can
14:44
get an advert free RSS feed of either Just
14:46
This Show or all the shows in the Late
14:48
Night Linux family. And if you want to
14:50
send in your questions for Jim and Alan or your feedback,
14:52
you can email show at 2.5admins.com. Tom
14:56
says, I'm building a really large NERS, a
14:58
mini computer actually, 32 terabytes
15:00
of the four hard drives. Try and
15:02
just press giggles that they're being really
15:04
large. Yeah, I was waiting for this.
15:06
Yeah, yeah. But I don't want to,
15:08
I'm not cheering anybody. No, no, no,
15:10
but that's not large to some people.
15:13
That would be large to me to be fair. But
15:15
anyway, 16 gigs of RAM, the whole
15:17
thing. Aside from this being a
15:19
daunting project for a relative noob to take on, are
15:21
there any recommendations as far as OS? As
15:24
far as the real benefit of RAID, it seems
15:26
to only cut the total storage available. Oh
15:29
well, RAID's a great backup, isn't it? Ha, ha,
15:31
ha, ha, ha. The advantage of RAID is that
15:33
if you lose one hard drive, you don't lose
15:35
either all the data or one quarter
15:37
of your data. The whole point of
15:39
RAID is that hard drives will fail, period.
15:41
They definitely will. And RAID means,
15:44
depending on their configuration, being able to
15:46
lose at least one of those drives and
15:48
replace it without losing the data. Yeah, without
15:51
losing any uptime. Yes, although the uptime isn't
15:53
even that big of a deal in the
15:55
end, it's really about not losing
15:57
the data. If you just stripe
15:59
or span those four hard drives
16:01
to get one really big volume that
16:04
holds your 32 terabytes and
16:06
you start writing files through it, if you lose
16:08
one of those drives, it's likely the entire 32
16:10
terabytes of data is garbage now. And
16:14
Raid makes sure that maybe you don't get to
16:16
use all 32 terabytes, but when one of the
16:18
drives does die, because it will, that you can
16:20
swap it out with another one, wait for it
16:22
to rebuild, and hey, look, all
16:24
your data is still there. Hang on Alan,
16:26
it sounds to me like you're trying to
16:29
devalue our t-shirt that doesn't exist. Raid
16:31
is not a backup. No, you still need
16:33
a backup. So if you only can afford 32
16:35
terabytes worth of hard drives, what
16:37
you're actually going to have is one mirror of
16:40
eight terabyte drives on your primary and one mirror
16:42
of eight terabyte drives for your backup or something.
16:45
Or maybe like a Raid
16:47
5 or Raids Ed 1 of three drives as the
16:49
primary and one drive is the backup, but then your
16:51
backup won't be big enough. And yeah. So
16:54
Raid is not a backup. It's just about
16:56
keeping the one system going and not losing
16:58
the data. You still need your backups because
17:00
the other thing Raid doesn't help you from
17:02
is when you accidentally delete something or
17:04
you get ransomware or the power goes out and
17:06
it corrupts the file, although that doesn't happen on
17:09
ZFS. But all the different
17:11
things that can happen, whether it was somebody did it maliciously,
17:13
somebody did it accidentally, the program screwed
17:15
up, whatever, having other
17:18
versions of those files on another
17:20
machine is absolutely critical.
17:23
Well, like failing from late night Linux,
17:25
for example, his cat pissed on his
17:27
UPS and totally fried
17:29
that. Now, if that had been his storage
17:31
server, it could have totally fried that. And
17:34
so yes, you do need a backup. Why
17:36
does that just feel like an especially Irish
17:38
story? But
17:42
it does, doesn't it? It does a little
17:44
bit. Yeah. You
17:47
absolutely have to have a backup. Backups
17:49
aren't optional. If your choice is between
17:51
parity or redundancy, meaning a mirror or Raid Z
17:53
and a backup, you can only afford one of
17:55
the other. You take the backup
17:58
and you run with no redundancy because... backups
18:00
are better. Now your
18:02
other option is you don't necessarily have to host
18:04
your own backup. If you want to go ZFS,
18:06
you could set up an rsync.net
18:09
account and you can back up to the
18:11
cloud. You can replicate directly to them pretty
18:13
easily. At this scale though,
18:15
it's usually better to just go ahead
18:17
and run your own backup because you'll
18:19
very quickly spend more money on monthly
18:21
costs for backup somebody else is hosting
18:23
than you will in just
18:25
putting some hardware together for yourself. But if
18:27
you've never run a storage server
18:30
before, even a small one, and
18:32
you've only ever had say USB drives and
18:35
then you buy two large drives like
18:37
two 18 terabytes in my case, it
18:39
is quite galling to just
18:41
only have 18 terabytes available and
18:44
mirror them. There's just something
18:46
that feels like really quite frustrating about
18:48
that and you two have taught me
18:50
enough to know that like no, don't
18:52
feel that frustration. But for someone who's
18:54
new to it, I understand
18:56
why Tom is saying like, I
18:58
don't want to cut the total storage available. Oh, I
19:01
understand it too. I mean, we've all been there. We've
19:03
all been that person that had to learn
19:06
that lesson and stubborned up and
19:08
really liked the sound of 32 terabytes versus 16
19:10
or 96 terabytes versus 48 or whatever, whatever your
19:15
scale is, you think, man, I just
19:18
want to be able to say I have
19:20
this volume that's all these terabytes at once.
19:22
And if I split this up into my
19:25
production, my backup, well, then now I have to
19:27
cut that number. And if you
19:30
think that number doesn't gall, you know, folks like
19:32
me and Alan also, you're wrong. It does. It's
19:34
worse for us because for us, we're like,
19:37
we not only need backup, we need
19:39
multiple backups and we need proper redundancy
19:41
on our production and our hot spare
19:44
and our backup. So, you
19:46
know, like for me personally, I'm usually
19:48
doing mirrors on everything. I've
19:50
got three boxes for any given application, the
19:52
production, the hot spare and the backup. So
19:54
when you want to talk about what I've
19:56
got to buy, the total number of hard
19:58
drives I buy. you got to divide
20:00
it by six to come up with the actual capacity
20:03
I've got to work with. Not two, six.
20:05
Yeah. I just finished a job where I
20:07
replaced a server that has 68 hard drives
20:10
that grew over time with like 12, 12,
20:12
12, 12, 12, 10, 10, et
20:14
cetera. And so I replaced all the oldest
20:17
drives, which are five terabytes with brand new
20:19
16 terabyte drives. But
20:21
each of those sets of 12 is a RAIDZ2.
20:24
And so two of those drives'
20:26
capacity just go away. And 16 hard drive manufacturer
20:30
terabytes is 13.9 actual
20:33
usable terabytes or whatever. And so
20:36
lots of space disappearing there. And
20:38
so while it was nice to get the extra 90
20:40
terabytes of free space, I bought
20:42
192 terabytes of hard drives to
20:44
get that. And that's
20:46
just the backup server needed to
20:48
perform the same operation on the primary too. So
20:51
then you're talking about buying 24 16 terabyte
20:54
hard drives just to be able to do that. You
20:56
just need to have a different mindset, don't you? You really
20:58
do. We should probably back
21:01
down a little bit off of Alan's and my tales
21:03
of having to buy legions of hard
21:05
drives for things, because it's not
21:07
really the scale that Tom is talking about. And
21:10
this is a person who has four hard drives
21:12
and wants to get the most they can out
21:14
of them. And the unfortunate thing is if with
21:16
a total of four, you don't really
21:18
have a whole lot better option than
21:21
divided in four. Now,
21:23
if you add one more hard drive to that
21:26
mix, then you could say, for
21:28
example, you know, I'm going to have a mirror
21:30
on my main system that gives
21:33
me eight terabytes of storage. And
21:35
I'll do a RAID Z one on my backup
21:37
that doubles that. So now you can not only
21:39
back up your eight terabytes, but also have some
21:42
archive depth, which is a really nice thing to
21:44
have. Or if that doesn't appeal,
21:46
well, if you'll buy two additional
21:48
hard drives, then you can have a RAID
21:50
Z one three wide on both sides. I
21:52
do not advise going wider than three drives
21:54
on Z one, but three is
21:57
fine. And now for those
21:59
two additional. drives, well now you can have 16
22:02
terabytes on both sides. There
22:04
are a lot of combinations there, but if
22:07
you want more than 8 terabytes of usable
22:09
storage and you don't want
22:11
to be running a big risk of losing data
22:13
down the line, you probably need at least one
22:15
or two more drives. The analogy that comes to
22:17
mind when people complain about this to me is
22:19
like somebody who wanted to buy racing tires
22:21
for their car, but they could only afford to replace one
22:23
of the four tires on their car with a racing tire.
22:27
I think that analogy is more apt to the
22:29
legions of people that want to make a super
22:31
fast Miravitav with one solid state drive and one
22:34
rust drive. Yeah, that is even better
22:36
run for that. What about recommendations
22:38
as far as an OS? Normally you say
22:41
Zigma and NAS, don't you Jim? Yeah, Zigma
22:43
and NAS is generally my favorite for just
22:45
a fired up and go NAS
22:47
distribution. I think it's
22:49
definitely going to be easier for a
22:51
relative newbie just because there's a lot
22:53
less going on there and the interface
22:55
is a bit quicker to respond. On
22:58
the other hand, if you think you might
23:01
want every conceivable shiny bell and whistle that
23:03
isn't even necessarily really a NAS
23:05
thing, but if you also want to run VMs
23:08
on the machine or what have
23:10
you, TrueNAS offers you a lot
23:12
more flexibility there. With
23:15
that additional flexibility, very much comes
23:17
additional surface that you can use
23:19
to get yourself in trouble. So
23:21
be cautious of that. The
23:24
final option for, I just want to throw a distribution
23:26
at this that's going to do some of the heavy
23:28
lifting for me. It's
23:30
getting increasingly popular for people to
23:32
just install Proxmox and run everything
23:34
in VMs under Proxmox. At that
23:36
point, whatever you want
23:38
for your file server, maybe you literally want
23:40
to just have like a Windows computer that
23:43
is giving you a map drive. Well, you
23:45
can just fire up a Windows VM on
23:47
Proxmox and store all your files there. Or
23:49
you can spin up a Samba server there. Or You
23:52
can spin up Open Media Vault. Or
23:54
You can do a Zigman as or
23:56
a TrueNAS That's preferably probably not using
23:58
ZFS that don't really. Recommend Nesting
24:00
vs Money for the of as it
24:02
does work but you can have some
24:05
performance issues if you're gonna ness the
24:07
Nas distribution under his to the Fs
24:09
I would generally recommends. yeah the Zf
24:11
us on the outside and then on
24:14
the inside just use us to or
24:16
he Xt for whatever the the default
24:18
cheap and easy legacy file system is
24:21
on that distribution. Mean. My
24:23
advice What is worse as if you want
24:25
to learn about this stuff then just install
24:27
a boon to of previous day. And.
24:30
Just build up manually. Or
24:32
if you want to just get going than yeah, Use.
24:35
One of the descriptions that Tim's recommended by
24:37
for me, I wanted to learn how it
24:39
all actually fit together and that's why I
24:41
just installed regular. Been to and if you
24:43
want do a freebies denies from scratch the
24:46
Clara But site has a series of articles
24:48
on everything from how can you pick up
24:50
the hardware through to setting up, setting up
24:52
the bow, selling, etc. While. We're on
24:54
the topic of picking up the hardware. There is one thing I
24:57
want to mention. Were. Talking about a
24:59
system with for a terabyte drives and
25:01
the first thing that leaves out to
25:03
me as a terabyte is not a
25:05
size of drive the I would buy
25:07
the day. Now I understand it
25:09
very frequently people are working, withdraws they
25:11
already have that they've acquired. You know,
25:13
one way or another where they've already
25:16
bought Amazon. it's only body like them.
25:18
Get a cell gear they already house.
25:20
but if you haven't bought your kit
25:22
yet, Think carefully before we
25:24
decide what hard drive to buy. I
25:26
do not recommend buying a bunch more
25:28
smaller drive sizes thinking we'll all get
25:30
more performance this way you might for
25:32
you might not, but you will certainly
25:35
can see more power, have more potential
25:37
things to break and limit your expand
25:39
ability. Journaling what you want to do
25:41
is you want to get onto a
25:43
reputable vendor site and look at what
25:45
they have to offer and you'll see
25:47
that the very small hard drives a
25:50
more expensive for terabyte and then you
25:52
hit a pretty stable. casper terabyte that
25:54
these days since the start of rum
25:56
a terabyte markets and that cost will
25:58
say about the same a until there's
26:00
another point where it'll start to get more expensive.
26:03
You want to buy the biggest drive where
26:05
the cost per terabyte hasn't actually gone up.
26:07
Because I promise you, it's typically going to
26:09
be cheaper all the way around to deal
26:11
with a couple of 16 terabyte
26:13
hard drives than four 8 terabyte
26:15
drives, and there will be less to break.
26:18
Yeah. I linked in the show notes to
26:20
a great aggregator that scrapes Amazon and Newegg
26:22
and so on and looks at all the
26:24
drives for sale and sorts them by price
26:27
per terabyte, which can be the best
26:29
way to find the deals on the drives
26:31
that are you're paying the least per
26:33
terabyte rather than it can be hard to
26:35
look at, oh, well, the 8 terabyte drives are like $119 to $129, and
26:37
the 12 terabyte drives are $180 to $200 and being able to pick the
26:46
right one. Because yeah, what Jim is
26:48
saying there is you might be better off buying
26:50
two 16 terabyte drives to get your 32 terabytes
26:52
and being able to buy two more before
26:54
you run out of slots in your chassis in
26:57
the future to expand rather than going for four
26:59
hard drives straight away. But at the
27:01
same time, if you only have so much budget and you
27:03
need to have a backup as well, then maybe more hard
27:05
drives is better. But definitely look at
27:07
the cost per terabyte and don't fall in the
27:09
trap of, oh, the smaller hard drives are cheaper.
27:12
It's like, yeah, but not per terabyte. And if
27:14
you're buying a significant number of terabytes, it can
27:16
make a big difference. Given
27:18
that I was just talking about maybe you might want
27:20
to buy a couple more drives, what
27:22
Alan's saying here really factors in there because one
27:25
of the things that might make a lot of
27:27
sense is keep your group of four 8 terabyte
27:29
drives exactly as it is. Put that in one
27:31
box and buy a pair of
27:33
16 terabyte drives for the other one. If
27:36
you're going to do that somewhat counterintuitively,
27:38
I would really recommend the 16 terabyte
27:40
drives on the production side and use
27:42
the four 8 terabyte drives as your
27:45
backup. In theory, more
27:47
spindles means more performance in practice these
27:49
days at this scale on rust drives.
27:51
It's not usually going to work out
27:53
that way. So really what you're
27:55
doing is you're putting your 16 terabyte
27:58
drives, the newer. drives in
28:01
the system that you're touching more frequently? I'm
28:03
not sure if I recommend it yet, but
28:06
I just bought my big batch of 16
28:08
terabyte drives from a company called
28:10
Server Part Deals that's selling recertified drives from
28:12
Seagate at significant discounts, like $10 a terabyte
28:14
rather than $15 to $18 a terabyte. But
28:20
they have a shorter warranty. I do recommend
28:22
those. I have bought quite a number of
28:24
refurbished drives, and quite a number of them
28:26
specifically from that vendor. I have yet to
28:28
be bitten. Yeah, and they have both SATA
28:30
and SAS drives. A lot of them
28:32
are enterprise, so if you care about noise, be
28:35
careful, and look up the model numbers and
28:37
so on. But you can save
28:39
a lot of money by cutting a third
28:42
off of the price of hard drives when you need to
28:44
buy quantity. Right, well, we'd
28:46
better get out of here then. Remember, show
28:48
at 2.5admins.com if you want to send in your
28:50
questions or your feedback. You can
28:52
find me at jrs.com/Mastodon. You
28:54
can find me at JRS
28:57
dash f.net/social. And I'm at Alan
28:59
Jude. We'll see you next week.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More