0:02

Two and a half admins episode 181. I'm Joe. I'm

0:05

Jim. And I'm Helen. And

0:07

here we are again. IT

0:09

consultant in Germany fined for exposing

0:11

shoddy security. This actually reminds

0:13

me of some of the early DMCA cases

0:15

back in the 90s when

0:18

newspapers would put just

0:20

completely unsecured visual basic

0:22

access applications out on the web and somebody

0:24

would discover it and poke around at it

0:27

and be like, Hey, did you mean to

0:29

do this? Cause like I could post articles

0:31

if I wanted to. And then the newspaper

0:33

immediately calls the cops and tries to soothe,

0:35

you know, the person for being an OMG

0:38

evil hacker. So this

0:41

is essentially the same

0:43

story again. This security

0:46

consultant found a password that

0:48

was just baked in clear

0:50

text right into an executable. The

0:52

password was to a publicly accessible

0:54

database application. And so he used

0:58

it to see what was there in the

1:00

course of research. And he notified to the

1:02

company, you know, Hey, anybody

1:04

can literally just see that password,

1:07

your database in the application and

1:09

can use it to log on and see

1:11

all of this data in the database. That's

1:13

a bad thing. So of course they decide,

1:16

well, this is the bad guy right here. And let's

1:18

throw him under the bus. You can see

1:21

how this would have happened 20, 25 years ago, but

1:23

how the hell is this happening now? Well,

1:25

do you think judges are that much more

1:27

IT aware than they were then?

1:30

Maybe not judges, but surely some

1:33

of the police and The police? Are

1:35

you kidding me? I mean, I was

1:38

expecting you to make that comment about

1:40

like, you know, a middle manager or,

1:42

you know, corporate brass type who initiated

1:44

the legal proceedings and say, shouldn't they

1:46

know better? And the answer to that

1:49

question is yes, they should know better now than they did 20,

1:51

25 years ago. They might still not like no,

1:54

no, but they should know a lot better. But

1:56

what hasn't changed in the intervening 20 to 25 years.

2:00

is the impulse to just be done with the

2:02

thing. Like, a bad thing happened,

2:04

I'm pissed off about it, and here is

2:06

somebody that I can excusably

2:08

use to vent my ire upon.

2:11

And that's all some people need.

2:14

Now, as to the question of why this would

2:16

happen in the courts, the answer

2:18

there is, as far as I

2:20

can tell, from looking at what the article had

2:23

to say, it looks like it's a basic and

2:25

not really IT-related legal screw-up.

2:28

When assertions were made about whether or

2:31

not a plaintext

2:33

password baked directly into an executable,

2:35

and an executable reminds you that not

2:37

only the customers had access to, but

2:39

anybody could download this executable directly

2:42

from the company. With no prior association

2:44

to the company, they could download it,

2:46

and doing so would give them access

2:48

to this password that's, again, embedded in

2:50

plaintext inside the executable. So,

2:52

when the plaintiff made

2:55

the case that this

2:57

does not qualify for protections because

3:00

this was a secured secret – I forget

3:02

what the translated German legal verbiage is, but

3:04

essentially, the law in question says that it's

3:07

not hacking if it wasn't secured in the

3:09

first place. It's basically what it boils down

3:11

to. And when the

3:14

plaintiff said that this was evil

3:16

hacking because the password was the

3:18

security thing, and they bypassed the

3:20

password, what should have happened

3:22

is the defendant should have called an expert

3:25

in to testify, and the expert would inform

3:27

the judge, no, this

3:29

does not qualify as a protected

3:31

secret under this statute because X,

3:33

Y, and Z. That

3:35

part didn't happen, and without bringing in the

3:38

expert to challenge the statement that was made

3:40

by the plaintiff, well, if it makes

3:42

sense to the judge, it rolls right on through. And

3:45

part of this is the defendant is

3:47

looking at 3,000 euro fine, and if he's

3:50

going to spend that between the lawyer and

3:52

the expert to defeat it, it maybe doesn't

3:54

make sense. I believe Germany is at winner-takes-all

3:56

court system, though. That's a good point. I

4:00

recall, if you lose, you got to pay

4:02

the, uh, you got to pay the Victor's

4:04

court costs. But I think the other part

4:06

there is to people who are the types

4:08

that don't listen to this podcast, opening

4:11

up an executable file that's in binary

4:13

and finding plain text strings in it,

4:15

beside the fact that people know how to use

4:17

the strings command is just

4:20

as much hacking as anything else.

4:22

Then not that that's correct, but

4:24

basically if they don't understand how

4:26

it works, then it's magic and they can say

4:29

it was hacking. And that's a really

4:31

big part of the problem here. The

4:33

police sees the guy's computers because the

4:35

company claimed that he could only have

4:37

gotten this password through insider knowledge because,

4:39

you know, it's a secret inside

4:41

their company. And I guess they don't realize that.

4:44

Yeah. And you baked it into the executable and

4:46

put it up on your website for anybody to

4:48

download. If you're not familiar with that command that

4:50

Alan just mentioned is like a one

4:52

off there strings, literally you can just type

4:54

strings and, you know, the executable file and

4:56

it will look for plain text in there

4:59

and tell you all the little bits of,

5:01

you know, plain text they could find. It

5:04

is not a difficult procedure. No, that

5:06

sounds like pretty extreme hacking to me,

5:08

Jim. Well, it sounds like this guy

5:10

didn't even use a tool like that.

5:12

He literally opened the executable in a

5:14

text editor. Now, he probably would

5:16

have had a reason to start there, but

5:19

that's maybe beside the point. But yeah, so

5:21

the string command is available on, you know,

5:23

BSD and Linux and so on. By default,

5:25

I think finds any string of eight or

5:27

more printable characters in a row. And

5:30

so you can run it on, you know,

5:32

a tar file or an executable or anything

5:34

and it'll just find any globs

5:37

of human readable text and spit

5:39

them out for you. I've used

5:41

it in the past to do something very similar

5:43

to find passwords hidden in flash SWF files

5:46

for video streaming back in the day when they'd have

5:48

a video stream where the URL was protected by a

5:51

secret. But the secret was baked into the

5:53

flash player. And if you knew how to use the strings

5:55

command, you should get the raw feed of the video. And

5:58

I'm sure to everyone else that was. magic

6:00

super elite hacking rather than I ran

6:05

the strings command and found the thing that

6:07

was obviously two English words

6:09

stuck together that I would guess was

6:11

the password and oh yep that was the password. Yeah

6:13

but so a lot of people using nmap as hacking. Yeah.

6:15

And those people

6:18

should not be consulted on their opinions of

6:21

what is or is not hacking and much the same

6:23

reason you really shouldn't ask me what it feels like

6:25

when the baby kicks at six

6:27

and a half months. Ask somebody who

6:29

does. Canadian

6:31

man stuck in triangle of e-commerce fraud.

6:33

This is a kind of a complicated

6:36

one and it doesn't work

6:38

if you don't understand how the scam

6:40

works. This triangle e-commerce fraud

6:43

that we're talking about initially looks a lot like

6:45

a standard drop shipping scam. Now you're probably familiar

6:47

with drop shipping scams. That's where somebody finds

6:50

a product they think that lots of people will want

6:52

that's available for anybody

6:54

to buy and then rather than telling everybody

6:56

hey go buy this thing from here they

6:59

instead set up their own e-commerce site

7:01

and they say you can buy this

7:03

thing from me. Only they don't have

7:05

the thing. They just drop ship directly

7:08

from the actual vendor to you and charge you

7:10

more money that it costs them to buy it.

7:13

So that's usually not illegal but it's

7:15

obviously a grift in the same way that

7:18

scalping tickets for concert would be. You're unnecessarily

7:20

inserting yourself somewhere as a middleman who provides

7:23

no actual value but just extracts

7:25

lucre. However that's

7:27

not quite what was going on

7:30

here. What happened for this

7:32

triangle of fraud is you had one

7:35

attacker and two victims. The

7:37

attacker first gets access to either

7:40

a credit card or a retail

7:43

login you know like at Walmart or Amazon or

7:45

what have you from victim number

7:47

one and then puts

7:49

up again you know it's it's the whole

7:51

like we're just gonna do the drop ship

7:53

thing. You either put up an e-commerce site

7:55

or in this case you just list things

7:57

for sale on Amazon yourself. But

8:00

rather than you actually having those things, you're

8:02

still just doing the drop shipping scam. The

8:04

only thing is, you're not

8:06

buying the original thing that you drop

8:08

stripped straight from the original vendor. You're

8:11

using victim number one's money to buy that

8:13

thing and ship it to victim number two.

8:15

So then what happens is, it looks like victim

8:18

number two is the one who's been stealing from

8:20

victim number one when it was really you all

8:22

the way along. Victim number two

8:24

was just looking for a place to

8:26

buy the thing, found your listing, and

8:28

bought it theoretically from you, and

8:31

you used a stolen credit card or

8:33

login to get those things shipped to

8:35

that victim. So this is what

8:37

happened, and understanding that, let's talk about the

8:39

actual case and the way

8:41

that the Canadian cops responded to it,

8:43

which was horrible. So

8:45

yeah, what seems to be the biggest

8:48

part of the problem here is that

8:50

when the police, in this case, the

8:52

RCMP, because this took place in rural

8:55

Alberta, which doesn't have its own police,

8:57

and so they contract the federal police

8:59

to police locally, they got a

9:01

complaint from victim number one in Ontario saying,

9:03

somebody hacked my Walmart account and bought a

9:05

whole bunch of stuff and had it shipped

9:07

themselves in Alberta using my credit

9:10

card, and they're stealing from me. And so they

9:12

get this report with an address of where the

9:14

stuff was shipped, and they go there and it's

9:16

like, hey, why did you steal all this stuff?

9:20

And the guy's like, what do you mean? I bought

9:22

this legitimately off Amazon. He's like, well, why does it

9:24

say Walmart on the box? He's like, I don't know.

9:26

And he genuinely did not know because why would he?

9:28

Because he bought a thing on Amazon, and the thing

9:31

showed up exactly as it should and in

9:33

the timeframe that it should. And

9:36

you kind of have to really be paying attention

9:38

to it. It's like, oh, hey, the exact items

9:40

that I ordered showed up exactly when they should,

9:42

but they showed up from the wrong vendor. And

9:44

with somebody else's phone number on the shipping level,

9:46

but my address. But it was

9:48

further complicated by the fact that actually this stuff

9:50

was a little late in getting there, and so

9:52

the guy wasn't home. He was actually on the

9:54

other side of the country for work, and

9:57

so police were like, yeah, you've got to come down to

9:59

our office. here and talk to us and say, well,

10:01

I'm on the other side of the country right now. I'll be

10:04

home in like a week. And as their

10:06

investigation went on, and they think this guy is like

10:08

dodging them, they get really

10:10

nasty about it, totally unnecessarily.

10:13

And as the guy is trying to consult

10:15

a lawyer about it, they're like, yeah, you

10:17

know, we're going to become a rescue and

10:19

making almost threatening statements. Not

10:22

almost threatening. They very specifically threatened to

10:24

break down his door, inquired

10:26

him about where his wife was

10:28

and what her itinerary was. And

10:30

just, it's a

10:32

classic and very familiar case of just

10:35

police intimidation. You know, the cops decide

10:37

they've got the bad guy, and therefore,

10:39

they are by God going to make him

10:42

regret the day he was born. And that's

10:44

one thing when you do actually have the

10:46

bad guy, but that's why it turns out

10:49

the cops are only supposed to investigate. They

10:51

are not the judge, the jury, or the

10:53

executioner, ideally. They're not even

10:55

supposed to determine guilt, right? That's for the courts, not the

10:57

police. Ah, but

10:59

that's where it gets even worse, because it

11:01

turns out in Canada, even the court isn't

11:03

actually who determines your guilt in one sense.

11:06

So our victim number two here, Travis

11:08

Barker, the guy who is in rural

11:11

Alberta, he now has the issue

11:13

that he is unable to find work because

11:15

he has a criminal record. Where

11:18

he is, your criminal record, is not a

11:20

record of your convictions. It's a record

11:22

of your charges. And

11:24

as it finally started becoming clear that

11:26

maybe this case was a little bit

11:28

more complicated than they thought initially, the

11:31

RCMP simply declined to prosecute. Now,

11:33

they didn't clear the charges. That

11:35

wouldn't be the RCMP. That would

11:38

have been the Crown Prosecutor. Yes,

11:40

they stayed the proceedings, so they just kind

11:42

of put pause on the case. We could still

11:45

come back and charge you later, but we're not charging you right

11:47

now. But the charge is

11:49

still listed on this public record.

11:51

That is what employers have access

11:53

to look at. They don't get

11:55

very much information, and so it makes it

11:57

hard to tell the difference between their There's

12:00

this case pending and someone's

12:02

actually been found guilty of something. It's

12:04

not that often that I look at

12:06

my northern border and think, well, thank

12:08

God I'm not on that side of

12:10

the line. But that's terrifying, the idea

12:12

that charges are treated the

12:15

way convictions are down here. Like, if

12:17

it worked that way down here with the way our

12:19

cops act, like, we'd all be in jail, every

12:22

last one of us. ICANN

12:25

proposes creating .internal

12:27

domain. It's sort

12:29

of like private subnets, non-routable

12:31

private subnets like 192.168 or 10. But

12:36

for DNS, the idea here

12:38

is that if you've got a

12:41

purely internal bogus TLD

12:43

essentially that you want to use, it should

12:46

be .internal. The

12:48

big thing that you get out of this is

12:50

if you were to create a purely private domain

12:53

that ends in .internal for its TLD,

12:55

then queries to that domain will not

12:57

go out to the root servers of

12:59

the internet even if they escape your

13:01

local network. Because every

13:04

other DNS server understands, oh,

13:06

this is not something that I should try

13:08

to resolve in much the same way that

13:10

every router out there understands, oh,

13:13

no, I should not be trying to route

13:15

packets to 192.168.0.whatever. Yeah.

13:18

Yeah, we've seen lots of proposals of

13:21

this like .land, all kinds of things.

13:24

It's good to finally see something happening.

13:27

Why it took so long is an interesting

13:29

question. After years of

13:31

debate, ICANN has narrowed down to .private

13:33

and .internal, but decided on .internal for

13:35

kind of similar reasons we talked about

13:38

a couple of episodes ago with private

13:40

browsing mode. They didn't want

13:42

to give the implication to people that this will

13:44

somehow protect privacy because it won't. It's just this

13:46

means that this thing is not meant to be

13:49

routed to the internet and so

13:51

.internal was chosen. Okay,

13:54

this episode is sponsored by people who

13:56

support us with PayPal and Patreon. Go

13:58

to 2.5admins.com. for

14:00

details of how you can support us

14:03

too. 2.5 Admins is part

14:05

of the Late Night Linux family, which means that for $10

14:07

a month on Patreon you get

14:09

access to an RSS feed that contains

14:11

all the Late Night Linux family shows

14:13

without adverts like this. There's also

14:15

an option to get Just This Show ad free for

14:17

$5 a month if you prefer. Some

14:20

of the episodes are even released a day or

14:22

so early for Patreon supporters. So,

14:24

if you like what we do and can afford it,

14:26

it would be great if you could support us at

14:28

2.5admins.com. Let's

14:32

do some free consulting then, but first just a quick

14:34

thank you to everyone who supports us with PayPal and

14:36

Patreon. We really do appreciate that. If you

14:38

want to join those people you can go to 2.5admins.com. And

14:42

remember that for various amounts on Patreon you can

14:44

get an advert free RSS feed of either Just

14:46

This Show or all the shows in the Late

14:48

Night Linux family. And if you want to

14:50

send in your questions for Jim and Alan or your feedback,

14:52

you can email show at 2.5admins.com. Tom

14:56

says, I'm building a really large NERS, a

14:58

mini computer actually, 32 terabytes

15:00

of the four hard drives. Try and

15:02

just press giggles that they're being really

15:04

large. Yeah, I was waiting for this.

15:06

Yeah, yeah. But I don't want to,

15:08

I'm not cheering anybody. No, no, no,

15:10

but that's not large to some people.

15:13

That would be large to me to be fair. But

15:15

anyway, 16 gigs of RAM, the whole

15:17

thing. Aside from this being a

15:19

daunting project for a relative noob to take on, are

15:21

there any recommendations as far as OS? As

15:24

far as the real benefit of RAID, it seems

15:26

to only cut the total storage available. Oh

15:29

well, RAID's a great backup, isn't it? Ha, ha,

15:31

ha, ha, ha. The advantage of RAID is that

15:33

if you lose one hard drive, you don't lose

15:35

either all the data or one quarter

15:37

of your data. The whole point of

15:39

RAID is that hard drives will fail, period.

15:41

They definitely will. And RAID means,

15:44

depending on their configuration, being able to

15:46

lose at least one of those drives and

15:48

replace it without losing the data. Yeah, without

15:51

losing any uptime. Yes, although the uptime isn't

15:53

even that big of a deal in the

15:55

end, it's really about not losing

15:57

the data. If you just stripe

15:59

or span those four hard drives

16:01

to get one really big volume that

16:04

holds your 32 terabytes and

16:06

you start writing files through it, if you lose

16:08

one of those drives, it's likely the entire 32

16:10

terabytes of data is garbage now. And

16:14

Raid makes sure that maybe you don't get to

16:16

use all 32 terabytes, but when one of the

16:18

drives does die, because it will, that you can

16:20

swap it out with another one, wait for it

16:22

to rebuild, and hey, look, all

16:24

your data is still there. Hang on Alan,

16:26

it sounds to me like you're trying to

16:29

devalue our t-shirt that doesn't exist. Raid

16:31

is not a backup. No, you still need

16:33

a backup. So if you only can afford 32

16:35

terabytes worth of hard drives, what

16:37

you're actually going to have is one mirror of

16:40

eight terabyte drives on your primary and one mirror

16:42

of eight terabyte drives for your backup or something.

16:45

Or maybe like a Raid

16:47

5 or Raids Ed 1 of three drives as the

16:49

primary and one drive is the backup, but then your

16:51

backup won't be big enough. And yeah. So

16:54

Raid is not a backup. It's just about

16:56

keeping the one system going and not losing

16:58

the data. You still need your backups because

17:00

the other thing Raid doesn't help you from

17:02

is when you accidentally delete something or

17:04

you get ransomware or the power goes out and

17:06

it corrupts the file, although that doesn't happen on

17:09

ZFS. But all the different

17:11

things that can happen, whether it was somebody did it maliciously,

17:13

somebody did it accidentally, the program screwed

17:15

up, whatever, having other

17:18

versions of those files on another

17:20

machine is absolutely critical.

17:23

Well, like failing from late night Linux,

17:25

for example, his cat pissed on his

17:27

UPS and totally fried

17:29

that. Now, if that had been his storage

17:31

server, it could have totally fried that. And

17:34

so yes, you do need a backup. Why

17:36

does that just feel like an especially Irish

17:38

story? But

17:42

it does, doesn't it? It does a little

17:44

bit. Yeah. You

17:47

absolutely have to have a backup. Backups

17:49

aren't optional. If your choice is between

17:51

parity or redundancy, meaning a mirror or Raid Z

17:53

and a backup, you can only afford one of

17:55

the other. You take the backup

17:58

and you run with no redundancy because... backups

18:00

are better. Now your

18:02

other option is you don't necessarily have to host

18:04

your own backup. If you want to go ZFS,

18:06

you could set up an rsync.net

18:09

account and you can back up to the

18:11

cloud. You can replicate directly to them pretty

18:13

easily. At this scale though,

18:15

it's usually better to just go ahead

18:17

and run your own backup because you'll

18:19

very quickly spend more money on monthly

18:21

costs for backup somebody else is hosting

18:23

than you will in just

18:25

putting some hardware together for yourself. But if

18:27

you've never run a storage server

18:30

before, even a small one, and

18:32

you've only ever had say USB drives and

18:35

then you buy two large drives like

18:37

two 18 terabytes in my case, it

18:39

is quite galling to just

18:41

only have 18 terabytes available and

18:44

mirror them. There's just something

18:46

that feels like really quite frustrating about

18:48

that and you two have taught me

18:50

enough to know that like no, don't

18:52

feel that frustration. But for someone who's

18:54

new to it, I understand

18:56

why Tom is saying like, I

18:58

don't want to cut the total storage available. Oh, I

19:01

understand it too. I mean, we've all been there. We've

19:03

all been that person that had to learn

19:06

that lesson and stubborned up and

19:08

really liked the sound of 32 terabytes versus 16

19:10

or 96 terabytes versus 48 or whatever, whatever your

19:15

scale is, you think, man, I just

19:18

want to be able to say I have

19:20

this volume that's all these terabytes at once.

19:22

And if I split this up into my

19:25

production, my backup, well, then now I have to

19:27

cut that number. And if you

19:30

think that number doesn't gall, you know, folks like

19:32

me and Alan also, you're wrong. It does. It's

19:34

worse for us because for us, we're like,

19:37

we not only need backup, we need

19:39

multiple backups and we need proper redundancy

19:41

on our production and our hot spare

19:44

and our backup. So, you

19:46

know, like for me personally, I'm usually

19:48

doing mirrors on everything. I've

19:50

got three boxes for any given application, the

19:52

production, the hot spare and the backup. So

19:54

when you want to talk about what I've

19:56

got to buy, the total number of hard

19:58

drives I buy. you got to divide

20:00

it by six to come up with the actual capacity

20:03

I've got to work with. Not two, six.

20:05

Yeah. I just finished a job where I

20:07

replaced a server that has 68 hard drives

20:10

that grew over time with like 12, 12,

20:12

12, 12, 12, 10, 10, et

20:14

cetera. And so I replaced all the oldest

20:17

drives, which are five terabytes with brand new

20:19

16 terabyte drives. But

20:21

each of those sets of 12 is a RAIDZ2.

20:24

And so two of those drives'

20:26

capacity just go away. And 16 hard drive manufacturer

20:30

terabytes is 13.9 actual

20:33

usable terabytes or whatever. And so

20:36

lots of space disappearing there. And

20:38

so while it was nice to get the extra 90

20:40

terabytes of free space, I bought

20:42

192 terabytes of hard drives to

20:44

get that. And that's

20:46

just the backup server needed to

20:48

perform the same operation on the primary too. So

20:51

then you're talking about buying 24 16 terabyte

20:54

hard drives just to be able to do that. You

20:56

just need to have a different mindset, don't you? You really

20:58

do. We should probably back

21:01

down a little bit off of Alan's and my tales

21:03

of having to buy legions of hard

21:05

drives for things, because it's not

21:07

really the scale that Tom is talking about. And

21:10

this is a person who has four hard drives

21:12

and wants to get the most they can out

21:14

of them. And the unfortunate thing is if with

21:16

a total of four, you don't really

21:18

have a whole lot better option than

21:21

divided in four. Now,

21:23

if you add one more hard drive to that

21:26

mix, then you could say, for

21:28

example, you know, I'm going to have a mirror

21:30

on my main system that gives

21:33

me eight terabytes of storage. And

21:35

I'll do a RAID Z one on my backup

21:37

that doubles that. So now you can not only

21:39

back up your eight terabytes, but also have some

21:42

archive depth, which is a really nice thing to

21:44

have. Or if that doesn't appeal,

21:46

well, if you'll buy two additional

21:48

hard drives, then you can have a RAID

21:50

Z one three wide on both sides. I

21:52

do not advise going wider than three drives

21:54

on Z one, but three is

21:57

fine. And now for those

21:59

two additional. drives, well now you can have 16

22:02

terabytes on both sides. There

22:04

are a lot of combinations there, but if

22:07

you want more than 8 terabytes of usable

22:09

storage and you don't want

22:11

to be running a big risk of losing data

22:13

down the line, you probably need at least one

22:15

or two more drives. The analogy that comes to

22:17

mind when people complain about this to me is

22:19

like somebody who wanted to buy racing tires

22:21

for their car, but they could only afford to replace one

22:23

of the four tires on their car with a racing tire.

22:27

I think that analogy is more apt to the

22:29

legions of people that want to make a super

22:31

fast Miravitav with one solid state drive and one

22:34

rust drive. Yeah, that is even better

22:36

run for that. What about recommendations

22:38

as far as an OS? Normally you say

22:41

Zigma and NAS, don't you Jim? Yeah, Zigma

22:43

and NAS is generally my favorite for just

22:45

a fired up and go NAS

22:47

distribution. I think it's

22:49

definitely going to be easier for a

22:51

relative newbie just because there's a lot

22:53

less going on there and the interface

22:55

is a bit quicker to respond. On

22:58

the other hand, if you think you might

23:01

want every conceivable shiny bell and whistle that

23:03

isn't even necessarily really a NAS

23:05

thing, but if you also want to run VMs

23:08

on the machine or what have

23:10

you, TrueNAS offers you a lot

23:12

more flexibility there. With

23:15

that additional flexibility, very much comes

23:17

additional surface that you can use

23:19

to get yourself in trouble. So

23:21

be cautious of that. The

23:24

final option for, I just want to throw a distribution

23:26

at this that's going to do some of the heavy

23:28

lifting for me. It's

23:30

getting increasingly popular for people to

23:32

just install Proxmox and run everything

23:34

in VMs under Proxmox. At that

23:36

point, whatever you want

23:38

for your file server, maybe you literally want

23:40

to just have like a Windows computer that

23:43

is giving you a map drive. Well, you

23:45

can just fire up a Windows VM on

23:47

Proxmox and store all your files there. Or

23:49

you can spin up a Samba server there. Or You

23:52

can spin up Open Media Vault. Or

23:54

You can do a Zigman as or

23:56

a TrueNAS That's preferably probably not using

23:58

ZFS that don't really. Recommend Nesting

24:00

vs Money for the of as it

24:02

does work but you can have some

24:05

performance issues if you're gonna ness the

24:07

Nas distribution under his to the Fs

24:09

I would generally recommends. yeah the Zf

24:11

us on the outside and then on

24:14

the inside just use us to or

24:16

he Xt for whatever the the default

24:18

cheap and easy legacy file system is

24:21

on that distribution. Mean. My

24:23

advice What is worse as if you want

24:25

to learn about this stuff then just install

24:27

a boon to of previous day. And.

24:30

Just build up manually. Or

24:32

if you want to just get going than yeah, Use.

24:35

One of the descriptions that Tim's recommended by

24:37

for me, I wanted to learn how it

24:39

all actually fit together and that's why I

24:41

just installed regular. Been to and if you

24:43

want do a freebies denies from scratch the

24:46

Clara But site has a series of articles

24:48

on everything from how can you pick up

24:50

the hardware through to setting up, setting up

24:52

the bow, selling, etc. While. We're on

24:54

the topic of picking up the hardware. There is one thing I

24:57

want to mention. Were. Talking about a

24:59

system with for a terabyte drives and

25:01

the first thing that leaves out to

25:03

me as a terabyte is not a

25:05

size of drive the I would buy

25:07

the day. Now I understand it

25:09

very frequently people are working, withdraws they

25:11

already have that they've acquired. You know,

25:13

one way or another where they've already

25:16

bought Amazon. it's only body like them.

25:18

Get a cell gear they already house.

25:20

but if you haven't bought your kit

25:22

yet, Think carefully before we

25:24

decide what hard drive to buy. I

25:26

do not recommend buying a bunch more

25:28

smaller drive sizes thinking we'll all get

25:30

more performance this way you might for

25:32

you might not, but you will certainly

25:35

can see more power, have more potential

25:37

things to break and limit your expand

25:39

ability. Journaling what you want to do

25:41

is you want to get onto a

25:43

reputable vendor site and look at what

25:45

they have to offer and you'll see

25:47

that the very small hard drives a

25:50

more expensive for terabyte and then you

25:52

hit a pretty stable. casper terabyte that

25:54

these days since the start of rum

25:56

a terabyte markets and that cost will

25:58

say about the same a until there's

26:00

another point where it'll start to get more expensive.

26:03

You want to buy the biggest drive where

26:05

the cost per terabyte hasn't actually gone up.

26:07

Because I promise you, it's typically going to

26:09

be cheaper all the way around to deal

26:11

with a couple of 16 terabyte

26:13

hard drives than four 8 terabyte

26:15

drives, and there will be less to break.

26:18

Yeah. I linked in the show notes to

26:20

a great aggregator that scrapes Amazon and Newegg

26:22

and so on and looks at all the

26:24

drives for sale and sorts them by price

26:27

per terabyte, which can be the best

26:29

way to find the deals on the drives

26:31

that are you're paying the least per

26:33

terabyte rather than it can be hard to

26:35

look at, oh, well, the 8 terabyte drives are like $119 to $129, and

26:37

the 12 terabyte drives are $180 to $200 and being able to pick the

26:46

right one. Because yeah, what Jim is

26:48

saying there is you might be better off buying

26:50

two 16 terabyte drives to get your 32 terabytes

26:52

and being able to buy two more before

26:54

you run out of slots in your chassis in

26:57

the future to expand rather than going for four

26:59

hard drives straight away. But at the

27:01

same time, if you only have so much budget and you

27:03

need to have a backup as well, then maybe more hard

27:05

drives is better. But definitely look at

27:07

the cost per terabyte and don't fall in the

27:09

trap of, oh, the smaller hard drives are cheaper.

27:12

It's like, yeah, but not per terabyte. And if

27:14

you're buying a significant number of terabytes, it can

27:16

make a big difference. Given

27:18

that I was just talking about maybe you might want

27:20

to buy a couple more drives, what

27:22

Alan's saying here really factors in there because one

27:25

of the things that might make a lot of

27:27

sense is keep your group of four 8 terabyte

27:29

drives exactly as it is. Put that in one

27:31

box and buy a pair of

27:33

16 terabyte drives for the other one. If

27:36

you're going to do that somewhat counterintuitively,

27:38

I would really recommend the 16 terabyte

27:40

drives on the production side and use

27:42

the four 8 terabyte drives as your

27:45

backup. In theory, more

27:47

spindles means more performance in practice these

27:49

days at this scale on rust drives.

27:51

It's not usually going to work out

27:53

that way. So really what you're

27:55

doing is you're putting your 16 terabyte

27:58

drives, the newer. drives in

28:01

the system that you're touching more frequently? I'm

28:03

not sure if I recommend it yet, but

28:06

I just bought my big batch of 16

28:08

terabyte drives from a company called

28:10

Server Part Deals that's selling recertified drives from

28:12

Seagate at significant discounts, like $10 a terabyte

28:14

rather than $15 to $18 a terabyte. But

28:20

they have a shorter warranty. I do recommend

28:22

those. I have bought quite a number of

28:24

refurbished drives, and quite a number of them

28:26

specifically from that vendor. I have yet to

28:28

be bitten. Yeah, and they have both SATA

28:30

and SAS drives. A lot of them

28:32

are enterprise, so if you care about noise, be

28:35

careful, and look up the model numbers and

28:37

so on. But you can save

28:39

a lot of money by cutting a third

28:42

off of the price of hard drives when you need to

28:44

buy quantity. Right, well, we'd

28:46

better get out of here then. Remember, show

28:48

at 2.5admins.com if you want to send in your

28:50

questions or your feedback. You can

28:52

find me at jrs.com/Mastodon. You

28:54

can find me at JRS

28:57

dash f.net/social. And I'm at Alan

28:59

Jude. We'll see you next week.