• 0 Posts
  • 16 Comments
Joined 1 year ago
cake
Cake day: July 17th, 2023

help-circle

  • Storing Drivers Licence: Was answered elsewhere. Bottom line… Bitwarden seems like it can store other types of data. Note that I don’t use Bitwarden yet, but have experience with Enpass and 1Pass, both of which can store all sorts of data.

    Why separate storage if Bitwarden is E2EE? You are placing all your trust in a single organization - Bitwarden. If they get hacked, then it is possible for the hackers to poison their software to deliver master passwords (hacks of s/w repositories has happened). I prefer to separate encryption from storage so a hack in both is required to get my data. Note that I do the same for offsite backups to Glacier/S3. I use Arq to do the backup and encrypt the files, then send them to S3 for storage.

    The 2023 IBM Report on Cost of Data Breeches indicated that the average time for a company to discover a breech is about 200 days, and on average another 70 days to remediate. That keeps me up at night in my day job as security dude.




  • My approach to this is as follows:

    • the password manager is probably the most important and often used piece of software I own. We (wife and I share the vault) store everything important/private in there - bank details, hundreds of passwords, passport details, drivers licence etc. It is used many times a day by us both.
    • Loss of control of this data would be catastrophic, so I took its security very seriously.
    • No one company can be trusted with our data, because they all get hacked or make mistakes at some point.

    I’m the security dude for a cloud service provider in my day job, so my goal was to use Separation of Concerns to manage my passwords. I therefore split the software from the storage, choosing software from one company, and storage from a second company. That way, it requires a failure on both parties at the same time for me to lose control of all the data.

    I used to use OnePass for the software, storing the data in Dropbox. But then they removed that option, so I switched to Enpass. Data is stored in a vault on the local device and synced to a folder on Dropbox, which we both have access to from all our devices (Mac’s, iPads, iPhones). The vault is encrypted using our master password and Dropbox only sees an encrypted file. Enpass provides software that runs locally and doesn’t get a copy of my vault file.

    If Dropbox has another failure and the vault gets out, then that is not a problem as long as Enpass have properly encrypted it. If Enpass has a bug making the vaults crackable - again it’s not a problem as long as Dropbox doesn’t lose control of my vault file. I update Enpass, the vault gets fixed and life goes on.

    Enpass is very usable, but buggy. It crashes every night (requiring me to start it again and log in), and often loses connection to Safari and wont re-establish it. It got better with a previous update, but has got unreliable again. I’m about to look for another.

    Cheers.







  • Be wary of RAID 5 or 6.

    They both have a « write hole » problem (or though much less so in RAID 6). Any power failure which causes an incomplete write can cause a complete RAID corruption - meaning all data is lost. Hardware RAID controllers usually have an onboard backup battery so they can store some information to complete operations should there be a sudden power failure. Software RAID does not have this, and you need to provide a UPS with automatic clean shutdown as the battery runs low using nut or some equivalent.

    Some people go as far as to say that RAID 5 should never be used.

    You also have very long recovery times when you replace a failed drive (days). Any other failure during this time means total data loss (of course RAID 6 gives you a second redundancy). Weekly Resyncs are very slow too (hours to days), and (unless you constrain your max throughput) will bring your system to its knees.

    zfs does not suffer from these problems, BTW.

    I run software RAID 5 via mdadm and have a UPS. I’ve replaced drives twice with no issues other than a slightly nervous long wait during recovery. I’m too cheap to buy the extra HDD for RAID 6, and may end up regretting it one day.


  • My $0.02c worth - I have run all sorts of servers at home over the years, and one of the main challenges around the hardware is managing heat.

    I’ve used mini-ITX mobos and tiny cases for builds. They look gorgeous, but at some point, when you stick enough drives in there (assuming you can) or make the CPU/GPU busy, you are going to have a heat problem, or a noise problem, or both.

    On my mythtv build I used M-itx and a gorgeous Lian Li small case. It was a beautiful add to my home theatre stack, but in the end I drilled a ton of small holes in the top and added a slow 140mm fan to control the heat without noise.

    The same goes for my file server - it was a slightly larger case with no GPU, but once I added my 6th HDD and had a ton of services running, heat became an issue and I was having to add extra fans, which could only be 80mm so they ran fast and noisy.

    My new build I’m going to go all the way with a Phanteks Enthoo Full Tower and a few 120mm fans. I’ve decided that looks don’t matter

    The other problem for me with these tiny builds is cable management. I’m complete shit at it, and small builds requires some skills. A big case gives you space to spread those cables out.

    Lastly, you can get ATX or EATX mobos with 6, 8 or more SATA connectors - room for growth! And there are very low power options available.

    I’ll soon have the appleTV + TV upstairs, laptop in the office, and the monster server downstairs with cat-6 + Gb fibre throughout.




  • I forgot to mention - spam isn’t too bad with a well trained SpamAssassin.

    Plus you will need to learn your virtualisation tool really well because of all the networking routes required and operating it on the command line. VBoxManage is your friend, but its just not friendly.

    From a security perspective - I did everything in Linux, and only opened the required ports (plus ssh, which I moved to a random high port number). I have auto-update on for security patches, but NOT for regular patches (because Zimbra tends break things, so you need to snapshot first).


  • I’ve been running my own mail server for about 15 years now… Let me offer some insights.

    • Its used by me and the family, so I do have other users who expect things to work.
    • I used commodity hardware, with a Linux host (and guest).
    • the mail server runs in a VM, so it is trivial to: stop, copying the VM to USB, restart.
    • Maintaining uptime isn’t too bad, but when the mail server goes down, you need to get onto it quickly. I’ve had power supplies fail, HDD’s fail, memory fail.
    • If you should happen to be out of town when a failure occurs (I’ve had this twice), then the server stays dead until you are back. That does not make your users happy. If its more than 4 days, then the SMTP standard says email is lost.
    • There have also been a few software issues with Zimbra (my current tool) - the stats daemon filled the disk, the upgrader broke permissions all over the place multiple times. Each of these requires time to investigate, research online etc. Snapshotting is awesome! Right now I have a problem where the VM disk file is growing, but the space used inside the VM is not. I have zero’d out free space and compacted the VM but don’t know why it is happening yet. More research needed.
    • You will learn to hate blocklists. There are many, and there are meta blocklists. You have to watch them because at any time, you will be added and your email will silently get dropped. Sometimes the blocklist trashes whole subnets because of a single actor, sometimes even more, and so you will get included due to other bad actors. Getting off a blocklist is hard… you send emails, you fill in web forms, you look for a contact details, you wait… Then some number of days/weeks later, you are off again.
    • You have to learn DKIM, SPF, DMARK, managing DNS etc.
    • I used to use self-signed certs and live with the warnings. Now I used Lets Encrypt, which is awesome!.
    • You can try to get reverse DNS working, but that’s up to your ISP (who usually don’t care, so good luck). No rDNS can be viewed as bad by email recipients so your spam score starts at >0.
    • If you run it at home, you will be part of a block of IPs that are known to be home users, so your spam score starts at >0.
    • I’m lucky in that I run it on a spare public IP address on my server housed at work. But that will need to change soon.

    I started using native Linux mailboxes, later added roundcube (web UI), investigated Mailinabox, but now use zimbra. That gives me calendar/contact sharing, email/calendar/contacts to iOS devices (which is the main way my family get email), and lots more. Moving data from one to the other took a couple of days of effort. (Yeah… I know its supposed to be trivial, but its not when you include tool research, testing, execution one at a time etc).

    Bottom line - you will learn lots, you will lose many weekends and sometimes a weekday here or there as you try to handle emergencies, it will never be set-and-forget.

    My original rational was learning, privacy and my own domain and nicer looking email addresses than [email protected]. I’m looking for an online alternative as its time to lighten the load, but I have a lot of services that we use in Zimbra.

    Good luck with it!