Sunday, November 24, 2019

Comparatave performance of Tamron SP 24-70mm f/2.8 Di VC USD / Model A007N

I purchased this lens recently, but am planning to send it back.  Experience is below for anyone considering this lens, or wondering if their copy is good or bad.

Note: this post does not review the "G2" model of this lens.

First informal tests showed up a possible issue.

  • Handheld,  1/1000s or higher, high ISO.
  • No, the sign is not straight. Who cares, look at the results!

0 - Uncropped example shot









Yes, I know DOF plays a part.  But still obviously a possible issue.

So, on to more rigorous testing, below.

Note: I am aware it is not fair to compare a zoom against primes, a zoom at max zoom vs. a zoom at min zoom.  However, these are the lenses I had available.   All lenses were shot wide open to make the tests as fair as possible.

All at ISO 100, tripod, 5s self-timer delay, Nikon SB-24 flash, lens VR off, lens was refocused for every shot.

Test rig

Zoom vs. Zoom:  Tamron 24-70 @ 70mm, f/2.8 vs Nikon 70-200 @ 70mm, f/2.8:

Tamron 24-70 f/2.8 @ 70mm, f/2.8

Nikkor 70-200 f/2.8 @ 70mm, f/2.8

Similar focal lengths: Tamron 24-70 @ 70mm, f/2.8 vs Nikon 50mm f/1.8 @ f/1.8:
Tamron 24-70 f/2.8 @ 70mm, f/2.8

Nikon 50mm f/1.8 @ f/1.8

Third-party vs. Third-party:  Tamron 24-70 @ 70mm, f/2.8 vs Tokina 100mm f/2.8 macro @ f/2.8:

Tamron 24-70 @ 70mm, f/2.8

Tokina 100mm f/2.8 macro @ f/2.8
 It's obvious the Tamron is far worse than any of the other lenses.  Not what I would expect for this class of lens.

To be fair, I would not expect the Tamron to equal the Nikon 70-200 f/2.8 (which is legendary), the Nikon 50mm (also legendary) or the macro prime.  But for my money, since Tamron touts this as a premium lens, it should be better than this.

Tamron @ 70mm at different apertures (target ~ 80 cm away):

f/2.8 - Poor

f/4.0 - Mediocre

f/5.6 - Excellent, tack sharp detail

OK, so the lens is capable of good performance - just look at that lovely detail at f/5.6.  So it's unlikely to be damaged or defective.  It just has crap performance below f/5.0 or so.

Again, I'm not expecting a third-party zoom to be as good as a prime, or a Nikon zoom.  But the whole Tamron value proposition is to get 80% of the performance  for 50% of the cost. This lens doesn't live up to that.

Also, the whole point of buying a fast zoom is to shoot it fast.  You can't tell me "just" to shoot it at f/5.0 or lower.  What, the athletes are going to slow down because I ask them to?

I tested the lens for front/back focus but could not discern any differences at f/2.8, even at max adjustment in a Nikon D7200,  owing to the poor image quality.  I don't think this lens is compatible with a Tamron TAP-In dock, and it's unclear if any focus adjustment will correct this anyway.

Being a G1, my Tamron was used and so perhaps was not in the best shape.  However, if you're planning to buy one, you may want to test it first.

Thursday, November 21, 2019

How to transfer Terraria data to a new Android

Amazingly complicated tutorial here.

tl;dr version:  Copy the following directories from the old device to the new:


I suggest you also do directory "OldSaves" as well.  On my old tablet, "Players" and "Worlds" were both empty, probably because it was running an older version of Terraria.

The entire rest of the tutorial is a walkthrough on how to copy these up to a cloud drive, and back down again.  Obviously any equivalent method will also do. 

It seems Terraria used to have a cloud save function.  I don't see it in the latest version (as of Nov 2019) and have no idea if it still exists or not.

Migrating Android "Hunt Cook: Catch and Serve" data to new device

Thanks to original poster here

I didn't get the process at first, so I rewrote it with more detail below.

Note:  If you have already started HuntCook on your NEW device, uninstall and reinstall it.  DON'T start it again (yet).

1.  Start HuntCook on OLD device.

2.  If you haven't already set it up, it may ask you to allow access to your Google account. 

You have to permit this, as this is where the backup will be stored.

3.  In the HuntCook app, go to Menu->Settings->Data Backup.

4.  Proceed to back up your data. 

-  You will need to assign a password.  Make it a simple one unique to HuntCook - you don't want a data breach goofing up your real passwords.

-  You will get a cryptic 16-character "Backup ID".  Be sure to write this code down.

-  You will also get the option to take a screenshot.  You can do so but I don't know where it is stored.

5.  On the NEW device, start HuntCook.

6.  Tap "Restore data backup" button in the bottom right-hand corner.

(It may be called something else, I forget the exact button name.)

7.  Enter the cryptic 16-digit "Backup ID" you previously wrote down.  Don't enter the spaces.

8.  Also enter your HuntCook backup password.

9.  You get prompted two or three times to allow transfer of the data from your old device to the new device.  Confirm the transfer.

HuntCook will then import the data and deactivate the game on the old device.  Your new device is ready to go.

You will be warned several times that transferring the data will prevent the transferred gameplay from being played on the old device.  However, the app is not deactivated, and you can start a new game on the old device.

Tuesday, October 15, 2019

Semi-canonical list for errors 0x80070035 and 0x80004005 on Synology NAS

Unfortunately, network problems can have a hundred causes.  This is a consolidation of the solutions found here, here, here, here and here

I did not get them all, so if the list below fails, you may need to root through the threads yourself.  This will at least give you a head start.

Note:  These solutions are largely aimed at the situation where one (or more) network machines can browse the share properly, and one (or more) machines can't. 

These solutions do not cover Windows Server or Active Directory (AD) issues.

Error 0x80004005: Unspecified error

For this error, you can (usually) browse to the affected share via IP address (i.e. \\192.168.1.xx\share) but not by name (i.e. \\NAS\share).  It may or may not show up in Network.

This is (usually) a local DNS problem.  If you have other machines that work, your router / DNS server is OK, and there is something wrong with the DNS on the affected machine.

For this reason, I recommend you edit the hosts file first.  If that fixes it, and you only have one problem machine, you're done.

Error 0x80070035:  The network path was not found

With this, you usually can't see the NAS in "Network", or browse to it at all.

Possible solutions:

P:   NetBIOS service needed but not starting.

A:  Network and Sharing Center: 
-  Check network is "Private" (either Work or Home). 
-  Go to "Change Adapter Settings"
-  Right-click on network adapter, select "Properties"
-  Double-click "Internet Protocol Version 4 (TCP/IPv4)"
-  Click "Advanced" button
-  Click "WINS" tab
-  Change from "Default" to "Enable NetBIOS over TCP/IP"

Note:  It is best to ensure this is done on all of the network adapters - even if they are not currently being used.


P:  SMB 1.0 is needed but not available.

A:   Enable SMB 1.0 as follows:
-  Control Panel / Turn Windows Features  On and Off (or Win + R, "optionalfeatures")
-  Check one of these:
  -  SMB 1.0/CIFS File Sharing Support
  -  SMB 1.0/CIFS File Sharing Support / SMB 1.0/CIFS Client

You can also try checking / unchecking "SMB 1.0/CIFS Server" and "SMB 1.0/CIFS Automatic Removal".

Note:  SMB 1.0 is insecure and has been depreciated, and is not needed for accessing most NAS devices.  This includes most Synology devices.

Tip:  If you can log in to the NAS by IP address, do so and check the NAS logs to see what protocol was used.  If the problem machine can reach the NAS using SMB2 or higher, you might not need to enable SMB 1.0 support.


P:  Synology NAS SMB service not enabled.

A:  In DSM, go to Control Panel / File Services / SMB/APF/NAS and check "Enable SMB service".


P:  Synology NAS not handling SMB correctly.

A: Disable SMB 1.0 on NAS.
-  In DSM, go to Control Panel / File Services / SMB/APF/NAS.
-  Click "Advanced Settings"
-  Reset Maximum SMB protocol to "SMB3".
-  Reset Minimum SMB protocol to "SMB2".
-  Click "Apply".

Note:  Setting Maximum above SMB2 does not seem to do the trick.  The best combo seems to be setting Minimum SMB above SMB 1.0 and disabling SMB 1.0 on the affected PC.

Tip:  If you can log in to the NAS by IP address, do so and check the NAS logs to see what protocol was used.  If the problem machine can reach the NAS using SMB2 or higher, and can log in via IP address with SMB 1.0 disabled, you do not need SMB 1.0 support on either the NAS or the PC.


P:  IPv6 not working.

A:  Network and Sharing Center: 

-  Go to "Change Adapter Settings"
-  Right-click on network adapter, select "Properties"
-  Uncheck "Internet Protocol Version 6 (TCP/IPv6)"


P:  "Client for Microsoft Networks" disabled or not installed.

A:  Network and Sharing Center: 
-  Go to "Change Adapter Settings"-  Right-click on network adapter, select "Properties"
-  Ensure "Client for Microsoft Networks" is present and checked (enabled)

If not present, click "Install", then "Client for Microsoft Networks".

Note:  It is best to ensure this is present and enabled on all of the network adapters - even if they are not currently being used.

P:  "File and Printer Sharing for Microsoft Networks" disabled or not installed.

A:  Network and Sharing Center: 
-  Go to "Change Adapter Settings"-  Right-click on network adapter, select "Properties"
-  Ensure "File and Printer Sharing for Microsoft Networks" is present and checked (enabled)

If not present, click "Install", then "File and Printer Sharing for Microsoft Networks".

Note:  It is best to ensure this is present and enabled on all of the network adapters - even if they are not currently being used. 


P:  Out of date network drivers.

A:   Device Manager / Network Adapters / Update driver


P:  Network adapter driver corrupt.

A:  As follows:
 -  Network and Sharing Center \ Change Advanced Sharing Settings, turn everything to OFF on all profiles and options.  Save changes and close.
-  Device Manager \ Network Adapters \ Uninstall Ethernet and Wireless adapters
-  Scan for Hardware Changes to reinstall these devices and close Device Manger.
-  Network and Sharing Center \ Change Advanced Sharing Settings \ Turn everything to ON for all profiles and options - Save changes and close.


P:  Microsoft Virtual WiFi Miniport Adapter not set for proper NetBIOS operation.

A:  Network and Sharing Center: 

-  Go to "Change Adapter Settings"
-  Right-click on Microsoft Virtual WiFi Miniport Adapter, select "Properties"
-  Double-click "Internet Protocol Version 4 (TCP/IPv4)"
-  Click "Advanced" button
-  Click "WINS" tab
-  Change from "Default" to "Enable NetBIOS over TCP/IP".

 Note:  It is best to ensure this is done on all of the network adapters - even if they are not currently being used. 


P:  Windows Firewall is blocking NAS.

A:  Temporarily disable Windows Firewall.  If this works, you'll have to figure out how to permanently fix it.


P:  Bad login credentials stored in Credential Manager.

A:  Navigate to Credential Manager in Control Panel, or run keymgr.dll.
-  Go to Windows Credentials.
-  Remove stored credentials for affected NAS.

Note:  The NAS credentials might be incorrectly stored in "Generic credentials".


P:  Windows using outdated login information.

A:  Map NAS to a drive letter:
-  Right-click "My Computer" (or "Computer")
-  Map network drive
-  Enter NAS share using IP address
-  Check "Log in with different credentials"
-  Open mapped drive letter

This will hopefully force Windows to refresh outdated cached login information for the NAS.


P:  Bad / incorrect "Microsoft 6to4 adapter" or "6to4 adapter" drivers

A:  Device Manager / Network adapters:  Remove all "6to4" adapters.


P:  Necessary services not running.

A:  Using "services.msc", check that the following services are running:
-  Server
-  TCP/IP NetBIOS Helper
-  Workstation


P:  Network provider order wrong / Network provider registry key corrupt

A:  Check the following keys:
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\HWOrder\Provider orderHKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\Provider order

Should be set to one of the following:
  RDPNP,LanmanWorkstation, webclient

Also check:
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\ProviderOrder\Provider order
  and ensure RDPNP has a number lower than Lanmanworkstation

Also check: 
-  Control Panel \ Network and Sharing Center \ Change adaper settings
-  Tap Alt key to unhide menu bar
-  Click "Advanced \ Advanced Settings" in menu bar
-  Tab "Provider Order"
-  Ensure  the order is:
  -  Microsoft Remote Desktop Session Host Server
  - Microsoft Windows Network
  - Web Client Network (optional, may be missing)


P:  NAS is using Guest account access.

A:  In Registry Editor (regedit):

-  HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
-  AllowInsecureGuestAuth = 1
-  RequireSecuritySignature = 0

Note:  It is not recommended that the NAS allow insecure Guest account access.


P:  Time sync issue is preventing NAS and PC from talking.

A:  Set clock on PC.
-   On NAS:  Control Panel \ Regional Options
-  Check "Synchronize with NTP server", server to
-  Click "Update Now".


P:  Corrupt registry keys.

A:  In Registry Editor (regedit.exe):

-  Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-  For a 64-bit system, create a QWORD called LocalAccountTokenFilterPolicy
-  For a 32-bit system, create a DWORD called LocalAccountTokenFilterPolicy
-  Set  LocalAccountTokenFilterPolicy to 1.


P:  Jumbo frames not working.

A:  Network and Sharing Center:
-  Click Change adapter settings.
-  Right-click adapter, select Properties.
-  Networking tab
-  Click "Configure" button
-  Advanced tab
-  Select Jumbo Frame and disable


P:  NAS name not resolving to IP address.

A:  Edit the hosts file to link the NAS name and IP address manually.


P:  Security policy options incorrect.

A:  Using GPEdit.msc or secpol.msc:

-  Local Computer Policy -> Windows Settings -> Security Settings -> Local Policies -> Security Options

    Microsoft Network Client:
        Digitally sign communications (always)    DISABLED
        Digitally sign communications (if server agrees) DISABLED

    Microsoft Network Sesrver:
        Digitally sign communications (always)    DISABLED
        Digitally sign communications (if client agrees) DISABLED

Note:  gpedit.msc and secpol.msc do not exist in Windows 10 Home Edition by design.


P:  Bad files / settings in Sync Center.

A:  Start the "Sync Center".
-  Click on Manage Offline Files
-  Click View your offline files
-  Under computers, select the server and hit delete to remove it.

Note: If you've never messed with Sync Center, it is likely that there will be no offline file settings to delete / modify.


P:  HomeGroup not managing connections correctly.

A:  In Network and Sharing Center \ Change Advanced Sharing Settings\HomeGroup connections, turn off "Allow Windows to manage homegroup connections (recommended)".

Note:  If you're not using a Homegroup type network, Homegroup settings will not be shown, and this is not your problem.


P:  Two computers with the same hostname.

A:  Event Viewer
-  System logs
-  Search for Event ID 4321. It will tell you another computer with IP address x.x.x.x does not allow you to use the same hostname.

If there is no such event logged, this is not your problem.


P:   Client for Microsoft Networks corrupt.

A:  Uninstall Client for Microsoft Networks, reboot, reinstall, and reboot.

Note:  Windows 10 prevents this from being done via the GUI, and this could mess up your system worse than it already is.  For this reason I have not done it and I don't know the correct process, you'll have to find it yourself.


P:   File and Printer Sharing for Microsoft Networks corrupt.

A:  Uninstall File and Printer Sharing for Microsoft Networks, reboot, reinstall, and reboot.

Note:  Windows 10 prevents this from being done via the GUI, and this could mess up your system worse than it already is.  For this reason I have not done it and I don't know the correct process, you'll have to find it yourself.

Sunday, October 13, 2019

The telephone company analogy for understanding your network

Networking using Phone Number Analogy

This is a simple guide to understanding basic networking, firewalls, port forwarding, servers and VPNs, using the analogy of telephone numbers at a small business.

I hope this will be useful to anyone who is troubleshooting connectivity issues in their network.

Single PC

You're a small business owner, with a 1-room office (computer).  You set up a phone number with you phone company (internet service provider, ISP) to get calls.  Your phone number (internet IP address) is publicly available and you accept all incoming calls.

Single PC Security

Things are not ideal since bad actors are tying up your phone line and trying to mislead your employees into sabotage.

So, you hire a security guard (firewall) who screens all incoming and outgoing calls (packets) at the office door.  He stops anything that looks wrong, and lets the rest through.

Obviously, the guard needs to be told when new employees (programs) are added.  Otherwise he will block their calls by accident.  This is usually done by flagging new outgoing calls as they happen and asking for a confirmation they are OK.

Note that all modern computers include a built-in software firewall.

Multiple PCs (Network)

Your business grows to multiple offices (computers) in one building.

You still only have one phone number, so calls no longer go directly to each office.  You hire a receptionist (router) that has a switchboard.  These handle all incoming and outgoing calls (packets) for the entire business (network).

The reception system (router) usually has three parts:

-  A receptionist that routes each incoming call to the right office;
-  A switchboard that allows calls to be connected through; and
-  A security guard that watches for bad incoming and outgoing calls (firewall).

Your receptionist/switchboard (router) will obviously connect any outbound calls (ougoing requests / outgoing packets) without any instructions.  There means there is no need to set up anything special for calls you initiate.

This includes things like normal web browsing, FTP, e-mail, etc.  This is the reason most people don't need to worry about setting up special settings in their routers for "ordinary" computer stuff.

Note this includes torrenting.  Torrenting software both makes outgoing calls, and listens for incoming calls.  Just doing outgoing calls is not ideal, but it is enough to make it work.

However, all incoming calls come through the single main number.  Your receptionist (router) does not know which office to connect it to.  Anyone calling for a specific office (accounting, finance, etc.) will not get connected.
Therefore, anyone looking for any of your services where they call you (incoming connections / incoming packets) will not automatically find the correct office (computer) in your business (network).

This applies to any service that you provide from inside your own network.  Examples include:
-  Web services (web server)
-  File transfer services (FTP server)
-  Media streaming services (Plex server, etc.)
-  Game servers (Minecraft server, etc.)
-  Torrenting software (uTorrent, qbitorrent, etc.)

Basically, if it has "server" in the name, and it's within your network, the outside world can't find it.

Again, the exception is torrenting.  Most torrenting software will work without port forwarding using just outgoing calls.  But it works better when you also allow incoming calls to connect through, because you get more connections faster.

To solve this and let others connect to you, you need several things:

1.  You assign local phone numbers (local ip addresses) to your offices (computers).  This allows calls into your business phone number (internet IP address)  can be connected to the right office (computer).

2.  These local numbers can be changeable (dynamic) or unchanging (static).  To keep calls from going to the wrong offices, we obviously want fixed local numbers (static ip addresses).

3.  You have to give your reception (router)  instructions on what to do with each kind of call.

Nobody outside your office knows your local numbers.  However, there is a default list of extensions (ports) that usually correspond to each kind of office.

-  To call your web site, they dial your phone number (internet IP address) plus extension 80 (port 80, http);
-  To call your FTP site, they dial your phone number (internet IP address) plus extension 21 (port 21, ftp);
-  To call your email, they dial your phone number (internet IP address) plus extension 110 (port 110, pop3)

and so on.

This lets your reception connect each kind of incoming call to the right local phone number

Unfortunately, there is no way to use just your internal phone numbers - they are hidden behind your switchboard, and are not standardized.  As callers can't dial direct, they have to use the extension numbers (port numbers) instead.

This process of matching the incoming call extension (port) to the right internal office number (internal ip address) is called port forwarding.

As you might imagine, port forwarding is very simple.  It's just a table that says this extension number (port number) gets connected to that internal phone number (internal IP address), which is permanently assigned to a specific office (computer).

From this, it is obviously a bad idea to have two offices (computers) that have the same extension (port forwarding).

For example, say you get a call for extension 80 (web server), but two offices (computers) have that extension (port).  What does your receptionist (router) do?

-  Connect only one office?  What if it's the wrong one?
-  Connect it randomly to one or the other? That doesn't work!
-  Connect it to both? How will the customer know which to listen to?

For these reasons, you can only designate each extension (port) to one office (computer).  (In other words, you can only port forward each type of packet to a single internal IP address.)

This means that if you have a web site office (web server), all of the web sites will need to live in that office (on that computer).  Similarly, you can only have one FTP server, one Plex server, etc.

Of course, some businesses have more than one.  Figuring out how to deal with this restriction is, arguably, a significant part of network administration.

There are cases where two different programs, on two different machines, want to use the same extension (port).  This can be a big problem.

Fortunately, most software makes outgoing calls, which are always OK.  It's only software that receives incoming calls that's a problem.  And having a semi-standardized list of extensions (ports) mitigates this problem.

Network Security

Of course, you also obviously have to tell all of the security guards (firewalls) in the chain to let the calls through.  This includes any guard in each office (local software firewall) plus the guard at reception (router firewall).

When you give your reception (router) the port forwarding instructions, the guard at reception (router firewall) will naturally see it and will let through any such calls automatically.  However, the guards in the offices (local software firewalls) don't get to see this, and so have to be told separately.

From this, it is tempting to turn off one or more firewalls, since they are theoretically redundant.  This is not a great idea since more firewalls mean more protection, but it can be done. 

If any given guard (firewall) is stopping the call from connecting, that port is said to be closed (blocked).  If all the guards are allowing the call through, the port is open.  Open ports ring through - blocked ports do not.


There may come a time when you no longer want the world to know your phone number (external IP address).

This is usually done for privacy reasons.  If your phone number is public, it is possible for your phone company (internet service provider) to listen in.  Some people don't like this.

To prevent this, you hire a call forwarding service (virtual private network, VPN).  From then on, all calls go through them.

To facilitate this, you change your published phone number (internet IP address) from your real number to the number of the call forwarding service (VPN).  Anyone trying to call you will be calling them instead, hiding your real phone number.

Forwarding can be handled at one of two places:

-   At the phone in each individual office (computer).  You need to place a special forwarding agent (VPN program / application) in each office (computer) to accomplish this.

-  At your main reception (router).  You just instruct your reception (router) to connect all outgoing calls to the forwarding service (VPN).  This covers your entire business (network) in a single step.

You can also tell reception to route only a block of internal offices through the VPN, and connect all other calls normally.

After setup, the process for outgoing calls is:

-  You call a special encrypted phone line at the forwarder (VPN).
-  They connect you through to the external number.
-  The call ID at the other end shows the number of the forwarder (VPN), not your real phone number.

As the forwarder handles calls for thousands of businesses, this process ensures that nobody can tell which outgoing calls are yours.  And as calls are encrypted, nobody can listen in.

This obviously works fine for all outgoing calls.  Aside from setting up the VPN service itself, nothing more is usually needed.

Incoming calls, however, are a different story.

Remember, you changed your phone number (internet IP address).  Customers are now calling your call forwarding service (VPN), and not you.

The forwarder handles thousands of customers.  So if they get a call at their own phone number to any given extension (port), they do not know who it is for.

For example, say they get a call for extension 80 (port 80).  Out of their thousands of clients, who is this for?  They can't know, so the call fails to connect.

Remember, the caller does not know your number - they only known the number of the VPN.  That is the point.  So the caller can't identify you to the VPN either.

This occurs from outside, and randomly, so you can't handle these with an outgoing call.  There is also no way to call them back since you never saw the incoming call in the first place, plus they might not even be listening anymore.

This means that if you use a VPN, any services you offer - web, FTP, game, etc. - will automatically be blocked, even if everything else is OK.  This is obviously a big issue.

To fix this, you have a few options.

1.  You can specifically tell your call forwarder to send extension calls to you.  This is known as VPN port forwarding.

Obviously, connecting specific calls to you is at odds with making you anonymous, and is technically challenging.  So not every VPN provider offers port forwarding, and those that do often require special setups.  Sometimes you have to manually reconfigure the VPN client daily (or so), which can be a pain.

Note that is not usually possible to set up VPN port forwarding at your reception (router), because it won't support it.  It's just too complex for consumer-grade routers.  You usually must use the software VPN application on the affected machine.

2.  You can stop using the VPN for the affected machines.  That is, your servers will have to live outside the VPN.

This is why you will often hear of people that have excluded certain machines from VPN service.  These machines are typically servers that can't work behind the VPN.

This works well if your server is separate from your working machine.  The server can live outside the VPN, but your personal machine can stay in, keeping your personal web traffic anonymous.

As most services are really simple, it is very easy to get a separate machine to use as your server.  For web and other simple stuff, almost anything will do.

Game and media servers are more complex.  However, these benefit from being outside the VPN since VPNs slow you down.

3.  For intermittent operation only, you can turn off the software VPN client on the affected machine.  This leaves you outside the VPN to do what you need to do, after which you can turn it back on.

This is cumbersome but is OK for some things.  For example, if you need to use a specific application that does not work well behind the VPN - maybe video conferencing - but only sometimes, turning off the VPN can be an easy solution.

4.  You can move your services to a machine outside your network.

For example, you can move your web hosting from a local network machine to a hosting service.  This outside service will not using a VPN, so no problem.

This obviously doesn't work well for game servers, and not at all for remote access, media or file services.  Those services need access to your local files by definition, and can't readily be moved to an offsite service.

5.  You can install the affected software on a separate machine that lives outside the VPN.

For example, maybe you set up video conferencing only on your laptop, and move it outside the VPN.  You keep your workstation on the VPN.

This means that you have to do all your video conferencing on your laptop, which may be inconvenient.  But your workstation is still protected by the VPN full-time, which is convenient.

At the end of it all, remember that VPNs just ensure privacy.  You will need to decide how important that privacy is, relative to the difficulty of setting up the software you need.

Tuesday, September 24, 2019

In defense of the bunch-of-disks backup for NAS servers

As storage gets cheaper, more and more people are using NAS devices.

Many of these are relatively small (6-10 Tb).  These can be backed up on a single external USB hard drive.

However, many exceed 20 Tb, and there are a lot of people out there running 40 Tb or more.

Of course, these people purchased their NAS specifically for the very high capacity, redundancy and fault-tolerance of these devices.  Many run two-fault-tolerant arrays, dual redundant power supplies, dual UPS, and at least one hot spare.  They are as bulletproof as possible.

However, they are not perfect.  So it only makes sense to try to have a last-resort backup of everything that's on a NAS.

So - how do we do that?

Options are limited:

1.  Go cloud storage.  Yeah, great if you want to spend $200+ per month.

Oh, and all those "hacks" for "free / unlimited" options - they're either gone, going, or never worked anyway.

2.  Buy a second NAS and mirror it.  Great if you want to spend $3,000 to $5,000 on a new NAS plus hard drives to fill it.

3.  Tape.  Great if you want to spend $2,000 on a used tape drive.  Paying $50/tape is not bad, if you can afford the drive.

4.  Buy a smaller NAS and backup only "critical" stuff.  Defeats the purpose.

5. Backup to a rented box in a data center.  I don't even know how much that costs - likely lots - but just try uploading 50 Tb over your connection.

That leaves just one option: back up to a bunch of hard drives.  It is quite possibly the cheapest and most robust solution.

Despite this, I see lots of people bash this solution mercilessly.  So I wanted to present my take on it.

Like anything, this solution obviously has disadvantages:

-  Yes, you will lose some data if a drive fails.  However, you will also lose data if a NAS, RAID array, USB drive or a tape fails, so that is hardly a flaw unique to this solution. 

There is no software that will let you easily copy vast amounts of data across multiple hard drives.  Such "spanning" is inherent in CD/DVD writing, and can be done for USB sticks, but doesn't work for hard drives.  This makes for a lot of somewhat tedious manual copying.

[Note:  Handy Backup claims this feature is "coming soon".]

-  Incremental backups are a practical impossibility.  So plan to spend some time annually - and over the course of some weeks - re-copying all of the data you copied last year.

-  It seems slow.  (Though I doubt it is much slower than other solutions.)

It also has a lot of advantages:

1.  Simple:  It's easy.  A little tedious, but any computer can copy files.  There is no need for special software or complicated data-processing techniques.

2.  Robust:  Assuming you avoid encryption and compression, if you lose one drive, all the rest of the data is OK.  There is no risk of breaking an archive or backup format by losing a single chunk.

Now, obviously, losing any of your last-resort backup in an actual disaster situation would be A Bad Thing.  But not as bad as losing 1 drive of a 10-drive set that does not function without that one drive.

Similarly, bad sectors or other similar faults on one drive - or even multiple drives - does not affect the larger backup set.  Yes, you will lose files, but you won't lose all the files in the set.

3.  Cheap:  This uses only hard drives plus some means to connect them (USB or SATA dock) - which many people who run NAS systems will have lying around anyway.  No expensive bits like a NAS or tape drive.

For a little extra boost, re-use all those older - but still working - hard drives that you retired from your NAS boxen.  Sure, you may end up with a stack of 20 drives - but it's cheap!

4.  Capacity:  Spinning rust drives have the highest data density of any data storage device on the market, storing more in less space and for less money than anything else.  Plus, the $/Gb gets cheaper by the month.

5.  Expandable:  Add more drives anytime.

6.  Flexible:  Use whatever drives suit - mix and match at will.  You can even use a mix of SATA, USB and NAS drives.  Can't do that with tape (or, at least, not as easily).

7.  Portable:  Drives can easily be moved offsite, to a safety deposit box, stored in a safe, or whatever.  Storing in ideal conditions is relatively easy.  Bringing the drives to the restore point - wherever it may be - is also very easy.

8.  Durable:  While it's not recommended you test this, modern hard drives can survive horrific drops and other abuse with zero damage.  Old-timers will faint from shock before the drives actually give up.

9.  Protectable:  Drives can be easily protected against drop, ESD, fire, water, etc.  A Nanuk 935 will hold ten 3.5" SATA HDDs, making them almost indestructible.   For extra protection, consider a fireproof safe, or just go offsite.

10.  Compatible:  You don't get any more standard than a SATA disk and a GPT boot table.   No matter what changes in technology we might have, these drives are going to be machine-compatible for years, if not decades, in the future.  (Try that with your Zip, Jumbo and  DAT drives.)

11.  Universal:  Tou can read these drives back on any machine, right now.  No need for a special tape drive, special software to decompress or de-archive, or anything.

OK, at worst, you'll need a USB dock or USB drive case that can be picked up at any store, anywhere, anytime.  With that, any computer - be it Windows, Mac or Linux - virtually anywhere in the world will be able to read and restore your backups right now.

12.  Reliable:  Some say that a hard drives will retain data only 1.5 years in storage - others say 5 years is fine, or maybe even 10-20 years, or possibly even longer.  This simply won't be any issue if you refresh data reasonably often - say, annually.

Other than that, spinning drives don't tend to break when they're not spinning, and these drives will spend 99% of their life in an inert state.  So the drives are likely to physically last an extremely long time.

13:  Redundancy:  Spread the risk by storing critical data multiple times on multiple different drives, or storing multiple backup sets in different locations.

A lot of "critical" data is actually really small - documents, PDFs, and the like.  Even photos don't take up that much space unless you're a photo hound.

So, it's usually easy to copy what you really can't live without onto every drive of a backup set, and you won't even lose hardly any capacity.  You net 5-10 copies for the price of 1, essentially.  (Try that with your backup software.)

14.  Isolation:  Offline cold-storage drives are air-gapped and are not susceptible to ransomware or other threats. 

Ransomware sucks, but it's not going away, and you can still get pwned even if you do absolutely nothing to prompt infection yourself.  So you'd better have cold backups somewhere.

Yes, some data will be out of date, and yes, you will lose some of it.  But would you rather lose some - or all?

This solution isn't for everyone, and it's obviously suited best for those that need a last-resort, just-in-case copy of vast amounts of relatively data.  Kind of a roll-your-own, personal Amazon Glacier.

But, for anyone needing to backup tens of terabytes reliably, without the need for instant restore, and without access to corporate-grade hardware, this looks like the best choice to me.

You should permanently install a USB boot / backup drive on your PC

I mean, why rummage through your box of unused drives when it's too late?  Create a UFEI boot drive now, plug it into an unused (and fairly inaccessible) USB port on your PC, and you're ready to go whenever.  Makes backup and recovery a lot easier.

Taping the boot shortcut key for your PC to your monitor won't hurt, either.

So far, the boot environment of Macrium Reflect seems to work pretty well.

I don't like their file naming system, but I can live with it.

I haven't actually tried a bare-metal restore with it yet.