Under the Radar

Under the Radar 13: External Dependencies


00:00:00   welcome to under the radar a show about

00:00:02   independent iOS app development I'm

00:00:04   Marco Arment and I'm David Smith under

00:00:06   the radar is never longer than 30

00:00:07   minutes so let's get started so today we

00:00:11   wanted to unpack the situation that

00:00:15   occurred I guess it was the end of our

00:00:18   beginning of this week end of last week

00:00:20   something like that where parse a fairly

00:00:23   widely used platform for app backends

00:00:27   design announced that they will be

00:00:28   shutting down and the while the actual

00:00:32   situation and the nuances of that aren't

00:00:34   particularly like generally applicable

00:00:36   they're interesting the actual sort of

00:00:38   the fundamentals of that of having this

00:00:40   big general-purpose flat platform that

00:00:42   was used by lots of apps finally

00:00:44   shutting or deciding it was going to

00:00:45   shut down has a lot of knock-on effects

00:00:48   that are probably worth unpacking before

00:00:51   we dive into that app robbing sense to

00:00:52   just sort of talk about what parse was

00:00:53   and so parse was this platform that made

00:00:56   and relatively easy to make a back-end

00:00:59   for your application that would do

00:01:00   object persistence user management

00:01:03   things like that like a very basic

00:01:05   high-level like non specific to a

00:01:07   particular industry back-end sort of

00:01:09   system that a lot of apps could use and

00:01:11   it had fairly attractive pricing and

00:01:14   including a free tier which is always a

00:01:16   bit of a trap for these kinds of things

00:01:18   where you can say oh we can use it for

00:01:19   free and if our app gets really

00:01:20   successful then we only then what we

00:01:22   have to pay an advantage a couple years

00:01:24   ago was bought by Facebook which it made

00:01:26   everyone who is using it kind of happy

00:01:27   because oh now it's not this sort of

00:01:29   fly-by-night thing it's backed by you

00:01:31   know this major corporation but now it's

00:01:34   ship being shut down Facebook has

00:01:36   decided that that's not something that

00:01:37   they want to invest in and continue to

00:01:39   maintain and so a year from now they are

00:01:42   going to be turning it off they're doing

00:01:44   it pretty well like they're getting a

00:01:46   year's notice and a bunch of migration

00:01:47   tools but at the end of the day this

00:01:49   thing that I've heard varying reports

00:01:52   but you know at least I think it's fair

00:01:55   to say a quite a lot of apps make use of

00:01:57   at least in part he's just gonna be

00:01:59   turned off and as a result the apps that

00:02:01   use it if they haven't been updated or

00:02:03   migrated are just going to stop working

00:02:05   and that's kind of tricky yeah I think

00:02:08   one of the weird things about this is

00:02:09   like you know kind of ties back to app

00:02:11   economics where

00:02:12   in order for these apps to continue

00:02:15   working it has to be worth their

00:02:16   developers time and and their developers

00:02:19   have to have the budget to now do a

00:02:22   noticeable update and you know they've

00:02:24   made it relatively easy they've released

00:02:26   big parts of their service as open

00:02:28   source that you could just install at

00:02:29   any server microsoft azure has started

00:02:32   trying to attract people to migrate to

00:02:34   them and they're making a little bit

00:02:35   easier

00:02:36   so there are migration options here that

00:02:38   aren't gonna be incredibly work heavy

00:02:41   but it is still work you have to still

00:02:43   do an update there are going to be

00:02:44   things you have to change and rewrite

00:02:45   and so it has to be worth that happening

00:02:49   by the by the apps developers so if

00:02:52   you're relying on an app that uses this

00:02:53   that hasn't updated in a long time that

00:02:55   might never be updated for this it might

00:02:57   never be worth somebody's time to update

00:02:59   it and that's unfortunate and that that

00:03:01   is going to cause a lot of problems in

00:03:02   the app stores these apps was kind of

00:03:03   slowly you know collect 1 star reviews

00:03:06   and stopped working and and they just

00:03:08   kind of live as zombies forever yeah and

00:03:10   so as developers when I see something

00:03:13   like this like I said like the a the

00:03:15   specifics of the PAR situation are sort

00:03:18   of inch vaguely and or like

00:03:19   intellectually interesting but aren't

00:03:20   actually practically that interesting

00:03:22   but what it makes me think about is it

00:03:24   makes me evaluate the dependencies that

00:03:27   I have in my own apps and as I build

00:03:29   apps and increasingly a fewer and fewer

00:03:33   of the things that I've built have no

00:03:36   web component whatsoever because the

00:03:38   feel seems like these days like you're

00:03:41   gonna need some kind of back-end for

00:03:43   your application either something like

00:03:45   parse or you know that's sort of like

00:03:47   off the shelf or something you build

00:03:49   yourself and you're probably gonna need

00:03:51   these for at least one of three reasons

00:03:53   like you're gonna need some kind of your

00:03:55   apps probably going to do something

00:03:56   back-up related or people are if they're

00:03:58   people are putting any amount of data

00:04:00   into your application they're probably

00:04:02   going to want to be able to have it

00:04:04   backed up and this is something that for

00:04:06   a long time I used to ever say oh I rely

00:04:08   on like the iTunes iCloud backup system

00:04:10   but that is all kinds of problems and

00:04:13   issues that you'll run into where like I

00:04:16   have a recipe manager and I ran into

00:04:18   issues where like their recipes were

00:04:20   fully backed up in like the latest

00:04:22   backup that they did but they

00:04:23   accidentally deleted the app and so now

00:04:25   the only way they

00:04:26   get their recipes back is to do a full

00:04:29   restore of an old backup on to their

00:04:32   device potentially destroying newly like

00:04:35   newer data on in other apps and things

00:04:38   like it's a mess so you wanna be able to

00:04:39   backup your data or you want to be able

00:04:41   to sync your data between different

00:04:43   devices so you'll need some kind of

00:04:45   back-end to do that or you just have an

00:04:47   app that has like a core service like

00:04:49   obviously like I imagine an overcast you

00:04:52   need a back-end or this you're like a

00:04:55   lot of what you do wouldn't work if you

00:04:56   didn't have some kind of back-end to run

00:04:58   for it oh sure I mean you know there are

00:05:01   podcast apps that don't use server-side

00:05:03   backends like as intermediaries and just

00:05:05   crawl feeds directly and everything but

00:05:07   that's not how I built mine and and it

00:05:10   affords me a bunch of advantages to have

00:05:11   done it the way I do it but now I have

00:05:13   this big dependency I'm on my surface

00:05:15   yeah and I think ultimately like that's

00:05:17   the right word like at the end of it

00:05:19   building these backends that are maybe

00:05:22   they aren't always required but are

00:05:23   going to be required in a lot of cases

00:05:25   like the biggest thing that I think this

00:05:28   situation is instructive for is making

00:05:31   us aware of the things that were

00:05:33   dependent on and that our apps are

00:05:35   dependent on because we're always gonna

00:05:38   be dependent on something it seems like

00:05:39   there's no way to really say like ok I'm

00:05:41   gonna be completely independent because

00:05:43   ultimately you're gonna be like I'm very

00:05:44   reliant on Apple for example and iOS

00:05:48   like if if Apple announced you know

00:05:51   tomorrow that hey we've decided you know

00:05:54   this iOS thing isn't really working out

00:05:55   we're just gonna turn it off like we're

00:05:58   just gonna stop making iPhones I'm not

00:06:00   saying it's likely but if they did my

00:06:02   apps would stop working like in the same

00:06:04   way that if parse decide you know to

00:06:05   going away meant that absolute relied on

00:06:07   it go away like or maybe a more

00:06:09   practical example for like i-4 on the

00:06:11   Apple side of things as if they decide

00:06:13   like you know what cloud kit isn't

00:06:14   working out we're gonna turn that off or

00:06:16   those types of things or like I rely on

00:06:19   my hosting provider I post all my own

00:06:21   all my Linux servers online out and you

00:06:25   know if they decide they're gonna go out

00:06:27   or they go out of business or they

00:06:29   decide they're not gonna do the kind of

00:06:30   hosting that I need anymore

00:06:31   suddenly like I'm in a big bit of a bind

00:06:34   and so like there's no way to avoid

00:06:35   being dependent you're always dependent

00:06:37   on something

00:06:38   but like you can there's a lot of

00:06:41   dependencies that you kind of have some

00:06:42   choice in like do i want to be so wed to

00:06:46   a particular platform or back-end or

00:06:47   system or do i want to be a bit more

00:06:50   flexible and do you know Bujji it ends

00:06:52   up like the more custom you make it and

00:06:54   how much of it you control you're gonna

00:06:56   have more like Portability and be able

00:06:59   to be like you know if this particular

00:07:00   host goes away I can just get another

00:07:02   one and your how to be able to look at

00:07:05   the trade-offs and make more choices

00:07:06   than if you're just all in on one thing

00:07:09   that's when you start to get a little

00:07:11   bit awkward yeah and that's why I like

00:07:13   the the selection of what you depend on

00:07:16   this this is why I'm usually very

00:07:18   conservative with these you know

00:07:19   obviously I try to minimize how many

00:07:21   external services and companies and

00:07:23   things I depend on but you know the

00:07:25   betterment something as you said this is

00:07:28   why I always try to choose as

00:07:29   conservatively as possible so like yeah

00:07:32   Apple could shut down the entire App

00:07:34   Store and that would that would really

00:07:35   be disruptive for us but that's very

00:07:37   unlikely like the apps the app stores

00:07:39   continued success is pretty important to

00:07:42   Apple as well so I've aligned my

00:07:44   incentives with this now pretty old and

00:07:47   pretty important thing to its parent

00:07:49   company that like it is very unlikely

00:07:51   that Apple's Apple will do that and

00:07:53   that'll be a problem for me

00:07:54   Facebook shutting down parse this thing

00:07:57   they bought did not have that kind of

00:07:59   luxury like if you were a parse customer

00:08:01   six months ago you're like looking

00:08:02   evaluating this this dependency Facebook

00:08:05   it isn't that important to Facebook to

00:08:07   keep this running so that this this was

00:08:09   foreseeable that like this was a high

00:08:11   risk of happening that this company made

00:08:13   this service it got big got bought the

00:08:15   parent company didn't really depend on

00:08:16   its continued operation for their core

00:08:18   strategy so this was always gonna be a

00:08:21   risk right so you know if if Linode I

00:08:25   know however we're supposed to be

00:08:26   pronouncing it I sale I know do you sale

00:08:27   I know they say Linode if if that

00:08:29   particular Linux VPS host gets shut down

00:08:32   well that's unlikely because they're

00:08:35   really big and they're they've been

00:08:37   around a while but even if that happens

00:08:40   migrating away from that is not that big

00:08:43   of a problem because there are other

00:08:44   Linux VPS hosts just like it and they

00:08:48   and if if every Linux VPS host went away

00:08:52   you could get a Linux server somewhere

00:08:53   that behaved very similarly you know if

00:08:56   every Linux server provider went away

00:08:59   you could add as a last ditch run one in

00:09:01   your house like you shouldn't but you

00:09:03   could like in this so like the the

00:09:05   transition options away from something

00:09:08   are also very important like parse

00:09:09   shutdown they did a decent thing here

00:09:12   where they they open sourced a big part

00:09:13   of their of their server and made it

00:09:16   like installable on your own stuff but

00:09:17   what if they didn't do that lots of

00:09:19   things shut down and never do that

00:09:20   because they just either can't or won't

00:09:22   or don't feel like it so you know if

00:09:26   let's suppose suppose you depend on an

00:09:28   Amazon Web service for your business and

00:09:30   Amazon shuts that down most of the time

00:09:33   that is very hard to replace because

00:09:35   they are so custom and proprietary you

00:09:37   can't just kind of do your own thing if

00:09:39   you dependent on any kind of like high

00:09:41   level service like this then it is it is

00:09:44   always a risk the the more like custom

00:09:47   and proprietary and high level something

00:09:48   is the risk of it being hard to replace

00:09:51   if it ever does go away increases yeah

00:09:55   and I think that's ultimately probably

00:09:57   like the enticement and why it's this

00:09:59   weird tension that you find yourself in

00:10:01   as you're developing a service or as

00:10:02   you're thinking about a feature you're

00:10:03   saying like if I do it with this high

00:10:06   level can't like constructor that this

00:10:09   company's providing I can save myself a

00:10:12   lot of time upfront because I'm not

00:10:15   having to build that again you know I'm

00:10:18   saying like if if there's this solution

00:10:20   that they've come up with that like

00:10:22   means that you know user authentication

00:10:24   it's just like a thing that I can just

00:10:26   ruff like plug into my app and it

00:10:28   handles all the give a secure password

00:10:30   storing and email resets and all that

00:10:33   kind of stuff like say there's a service

00:10:34   that does that off-the-shelf like that's

00:10:36   you know days weeks months of time that

00:10:40   you weren't spending building that thing

00:10:42   that instead you're just kind of more

00:10:43   integrating directly into your

00:10:44   application and so like it's enticing

00:10:47   and like you're getting this enticement

00:10:50   at the benefit of that upfront time but

00:10:53   it's sort of at the detriment of this

00:10:55   this risk that you're increasing in your

00:10:57   application and

00:10:58   maybe that makes sense like if you're

00:11:00   just kind of prototyping something and

00:11:02   throwing it out there or you aren't in a

00:11:04   situation that's very time limited that

00:11:06   you have to you know you if you don't

00:11:08   ship your app in a month it's you're

00:11:12   gonna miss some kind of market window or

00:11:13   opportunity that or like that's the only

00:11:15   amount of like you just have that much

00:11:16   money to make a run at it and you just

00:11:19   kind of have to then great like it's

00:11:22   there's nothing bad about those types of

00:11:24   things but it's this weird tension that

00:11:26   you're finding of like because you're so

00:11:28   locked in at that point you're setting

00:11:30   yourself up for difficulty down the road

00:11:33   because it's not necessarily like you're

00:11:35   it's like short-term benefit and like

00:11:38   long-term pain because you know

00:11:39   developing it yourself there's also

00:11:41   long-term pain it's a different kind of

00:11:42   pain but like you have to then be the

00:11:45   one who's maintaining it or when

00:11:46   security issues happen you know you have

00:11:48   to could be you're the one going in and

00:11:50   patching your web server or you're the

00:11:54   Linux distribution you're installing on

00:11:55   your servers or whatever like you're you

00:11:57   know at some point there's always the

00:11:58   long-term challenges with these things

00:12:00   but the difficult the difference is more

00:12:02   one of your totally locked in and at the

00:12:06   whim of whatever that company is and

00:12:08   unless you're their biggest customer

00:12:11   which for the kind of people who I

00:12:12   imagine listen to a show like this

00:12:13   you're unlikely to be a service

00:12:16   providers made like biggest customer

00:12:18   you're just gonna be kind of like rah

00:12:20   you know sort of wash back and forth

00:12:22   based on whatever makes sense for them

00:12:24   and that may or may not be something

00:12:26   that or a position that you find

00:12:28   yourself in that you'd be comfortable

00:12:29   with this episode of under the radar is

00:12:32   brought to you by hover quite simply

00:12:34   hover is the best way to buy and manage

00:12:36   domain names when it comes to buying a

00:12:38   domain name hover is the first place I

00:12:40   check now when you have an idea for a

00:12:41   project naming it can be difficult when

00:12:43   you finally get that name you want to be

00:12:45   able to quickly and easily get the

00:12:46   domains that you need hover provides a

00:12:48   simple fast and hassle-free method of

00:12:50   buying domains I don't want to be faced

00:12:52   with a thousand screens and all these

00:12:53   add-ons high prices all these like

00:12:56   custom weird services that seem kind of

00:12:57   like scams I just want to get in it's

00:12:59   like what I need buy it and get on with

00:13:01   my life and building my new idea hover

00:13:03   makes us very very easy

00:13:04   their search is very nice it suggests

00:13:06   things for you if nothing's available

00:13:08   they can search all the TL DS all the

00:13:10   crazy new ones in addition to all the

00:13:12   nice

00:13:13   and they have dot-com domain starting at

00:13:15   just $12.99 a year great prices on all

00:13:18   the other ones as well all these include

00:13:20   Whois privacy for free with every hover

00:13:22   domain because they believe that you

00:13:24   shouldn't have to pay extra for

00:13:25   something like that that's you know

00:13:26   obviously you want to keep your private

00:13:28   information private that's one have

00:13:29   fantastic customer support if you want

00:13:32   to call them they have a no hold no wait

00:13:34   no transfer telephone support policy

00:13:36   when you call them you talk to an actual

00:13:37   human being not a robot not a menu you

00:13:40   don't have to say like operator like the

00:13:42   stupid speak menus it's a real human

00:13:44   being you can just talk to directly they

00:13:46   pick up the phone and if you do of

00:13:47   course prefer the robots they also have

00:13:50   great support documents and support

00:13:51   guides and their website for getting

00:13:52   everything you need and you can email

00:13:54   them as well if you'd like and they also

00:13:56   have a valid transfer service where they

00:13:58   can take all the hassle out of switching

00:13:59   from your current provider so because

00:14:01   they do it all for you you can just give

00:14:03   them your login to your old provider and

00:14:04   they will transfer names for you if

00:14:05   you'd like all that for free of course

00:14:07   they have so much more great stuff they

00:14:09   have volume discounts they have custom

00:14:11   email addresses storage and forwarding

00:14:13   and so much more stuff check it out

00:14:15   today at hover.com

00:14:17   use code perspective at checkout that is

00:14:20   once again code perspective at checkout

00:14:22   and you will get 10% off your first

00:14:24   purchase at hover comm and you will show

00:14:26   your support for under the radar and all

00:14:28   of real afm thank you very much to hover

00:14:30   for sponsoring this episode so it seems

00:14:33   like we should probably also dive now

00:14:34   dive into kind of like what we do how we

00:14:37   approach this because I think we both

00:14:39   have found ourselves at the end of the

00:14:41   like the thought process on how we

00:14:44   should bake backends for our servers

00:14:46   with the like well we're gonna build

00:14:47   them ourselves and we're gonna build

00:14:49   custom applications running on you know

00:14:53   Linux VPS is that we use and probably

00:14:58   worth saying why we kind of do that I

00:15:00   mean to me it's it's you know first of

00:15:02   all it's all about control for me I'm a

00:15:03   control freak and I want to do

00:15:05   everything myself and I want I want I

00:15:06   want everything to be under my control

00:15:07   because I don't want to have major parts

00:15:11   of my roadmap dictated by a dumb change

00:15:16   in my host that oh all of a sudden this

00:15:17   entire thing I depend on is shutting

00:15:19   down and I got to change that like you

00:15:21   know Apple give us enough of those

00:15:22   things we don't you know the with like

00:15:24   new device releases and everything but

00:15:25   those are you know kind

00:15:26   an unavoidable part of working with

00:15:27   Apple but when it comes to running your

00:15:29   services you control a lot more of that

00:15:31   and you can avoid those things and so I

00:15:33   love that part of it and for me it's

00:15:36   also it's also a lot about capability

00:15:38   and and cost in a low cost and and and

00:15:42   just being able to do a lot cloud kit is

00:15:44   very appealing in a lot of ways and if I

00:15:46   was making the new app today I would

00:15:48   think very hard about how about whether

00:15:50   I could just do it all in cloud kit and

00:15:51   whether that'll be the right move for me

00:15:52   but it is still limited in what it can

00:15:56   do what it can't do

00:15:57   and and so for me like a website or like

00:16:01   a regular Linux back-end is the default

00:16:03   for me I know how to do it it really

00:16:05   isn't that hard which we'll get into in

00:16:07   a little bit it really isn't that hard

00:16:08   and it's it is surprisingly capable for

00:16:12   surprising little cost yeah exactly I

00:16:14   think there's the reasons are fairly

00:16:16   similar for me like I like I think the

00:16:19   thing that I like most is being able to

00:16:21   tailor the backend of my application to

00:16:23   not necessarily the application but it's

00:16:27   tailored to the way that I think and the

00:16:29   way that I solve problems in the way

00:16:31   that I'm thinking about like the

00:16:32   problems that are being solved in my app

00:16:35   so when I'm dealing with something like

00:16:38   sink like the generic term for like one

00:16:41   of the hardest problems in computer

00:16:42   science I like that I can like so I'm

00:16:47   solving that problem in a way that makes

00:16:49   sense to me that I'm not having to kind

00:16:51   of shoehorn my application in the way I

00:16:54   think about it into the model that a

00:16:57   service provider provides and they say

00:16:59   like well you know we handle conflict

00:17:01   resolution using like last last updated

00:17:05   wins or something like that and like

00:17:06   maybe that works maybe it doesn't

00:17:08   and so when you build your app builder

00:17:10   yourself like I actually understand it

00:17:12   like I have to go I've gone through and

00:17:14   I've made the decisions at the various

00:17:17   levels of like well I want this to work

00:17:19   this way I want this to work that way

00:17:20   and so then down the road when I'm

00:17:22   debugging something and I have a better

00:17:25   understanding of how how I expected to

00:17:28   work and when things go wrong I have a

00:17:30   sense of where they're made might be

00:17:32   going wrong like is this an app problem

00:17:34   is this a web service problem and like

00:17:37   ultimately it probably also just like

00:17:38   makes my apps better and makes me a

00:17:40   better program

00:17:41   like having this breath of experience

00:17:42   that at this point like I can build

00:17:46   something all the way from like the UI

00:17:49   and the application the business logic

00:17:51   inside of the application and then all

00:17:54   the way through to like the you know

00:17:56   then the web service that's managing

00:17:58   that information and a database at the

00:18:00   back that's storing that information

00:18:02   like having being able to do all those

00:18:04   things is just like good for me from a

00:18:08   career and personal development

00:18:09   perspective like I've learned to solve

00:18:12   more problems doing it this way that

00:18:16   ultimately I think makes me a better

00:18:17   developer like I write less my apps are

00:18:20   probably better because they're the kind

00:18:22   of calls they're making like I know what

00:18:24   the server is trying to do with those

00:18:25   calls and so you don't end up just like

00:18:27   well this is like the naive obvious

00:18:30   solution I'll just kind of throw all

00:18:31   this data at the server or I'll hey let

00:18:34   me just ask for all of it every day all

00:18:36   the time and because if the servers are

00:18:39   overwhelmed that's not my problem like

00:18:41   those are things that ultimately

00:18:43   probably make my apps better and like

00:18:45   you were saying it is kind of crazy how

00:18:46   inexpensive it is to do a lot of these

00:18:48   things now like just with a lot of my

00:18:52   things are just backed by like two or

00:18:54   three

00:18:55   you know VPS is that cost I mean like at

00:18:59   a basic one it's like $20 a month

00:19:00   there's something like that twenty forty

00:19:02   dollars a month like for a lot of my

00:19:04   applications I end up spending you know

00:19:05   maybe it's $100 a month in in servers

00:19:09   and that's really not too bad for the

00:19:13   can of capability in the throughput and

00:19:14   the number of users that you can support

00:19:17   even with just at that level oh yeah I

00:19:20   mean evenly the twenty bucks a month

00:19:21   server level on a modern host like line

00:19:24   out or digitalocean you can get so much

00:19:26   for this for this money now and when

00:19:29   you're using boring old fast tools like

00:19:32   MySQL or Postgres and you're you have

00:19:35   like a modern web language in front of

00:19:36   it you know you have even in the old

00:19:38   ones PHP Ruby you know like Python or

00:19:41   more recently you might have like go you

00:19:43   know these these are so fast you can do

00:19:46   so much you can support so much usage

00:19:48   it's way more than you think because now

00:19:50   you know you have these modern

00:19:51   processors doing the virtualization you

00:19:53   have

00:19:54   ssds on almost all these hosts now it is

00:19:56   incredibly fast to do and so like you

00:19:59   you really can support a lot on very

00:20:01   little hardware yeah and I think

00:20:03   ultimately that makes it a lot easier

00:20:04   like it's there the hardest problems

00:20:07   I've ever had to solve like the only

00:20:08   time I kind of regretted doing backends

00:20:10   myself is they were the early days of

00:20:13   feed Wrangler my RSS sinking system

00:20:15   which like I was doing stuff that in

00:20:19   retrospect was really foolish and was

00:20:22   just crushing my database like it was

00:20:24   just my Postgres database was just

00:20:27   constantly dying and falling over and in

00:20:30   retrospect it was because I was being

00:20:33   you know deserves I've made a few really

00:20:34   bad assumptions upfront but even there

00:20:38   like that's the only time I've ever

00:20:40   really had to do any low-level

00:20:43   performance tuning of any of my

00:20:45   applications otherwise just out of the

00:20:47   box things are just fast and work and

00:20:50   it's fine in a way that like it would be

00:20:53   problematic if I you know if I really

00:20:55   needed to be like a database

00:20:56   administrator like a serious like you

00:21:00   know DBA whatever they call them these

00:21:01   days like doing that kind of work but

00:21:03   most of the times I just like install

00:21:04   Postgres with the defaults you know

00:21:07   tweak a few things how the way I like it

00:21:08   and then it's fine and it just runs

00:21:11   quickly enough for you know that my

00:21:13   users don't even really notice any kind

00:21:15   of performance issues or problems yeah I

00:21:18   mean like you might think if you've if

00:21:19   you haven't done this before or if the

00:21:21   last media this was like 10 years ago

00:21:22   you might think that running servers

00:21:24   requires lots of like low-level tweaking

00:21:26   and performance tuning and getting these

00:21:28   right config variables to like exactly

00:21:30   the right buffer size and everything and

00:21:31   you don't really need to do that anymore

00:21:33   that's very very rare for most people

00:21:36   need to get that that down into the

00:21:38   nitty gritty stuff it really is like as

00:21:40   you said that you can just install these

00:21:41   things with the defaults and usually

00:21:44   you're fine

00:21:44   that's usually what you need to do

00:21:46   because everything is just so good now

00:21:48   there's so much Headroom the software is

00:21:50   very mature and a lot of these things

00:21:52   and and the hardware isn't very mature

00:21:54   to so it you really get a lot of weight

00:21:57   with just the defaults now and I think

00:21:59   if you think one thing that I was kind

00:22:00   of looking forward to when we got it got

00:22:02   into this topic is you said you had a

00:22:03   few little pro tips for getting into

00:22:06   this kind of administer

00:22:07   because I think it is it can be a little

00:22:10   bit intimidating to it's like you know

00:22:13   like go and install Linux even then you

00:22:15   starts like well what version of Linux

00:22:16   what should I do

00:22:17   how to get started and it's remember a

00:22:20   bit being a little intimidating but at

00:22:21   least like what the fun thing is once

00:22:23   you get going like there's tremendous

00:22:24   resources and you can just kind of get

00:22:27   going and once you know it you know it

00:22:28   because this stuff doesn't really change

00:22:30   yeah basically like Google is your

00:22:33   friend you know not not the corporate

00:22:35   structure but you know the search engine

00:22:36   its SEC overflow like all these things

00:22:38   these are your friend because lots of

00:22:41   people have been running Linux servers

00:22:43   for years and as you said the tools and

00:22:46   the commands and what you need to do

00:22:47   doesn't change very often usually

00:22:49   typically that you learn this stuff like

00:22:51   once and you have to learn something new

00:22:53   maybe every two years like it's it's

00:22:55   pretty it's pretty stable it doesn't

00:22:57   change much so number one tip I can give

00:22:59   is to pick a very popular but somewhat

00:23:04   conservative Linux distribution to do

00:23:06   this with four years I recommended sent

00:23:08   to us which was basement right Hat

00:23:09   Enterprise Linux I think today I think

00:23:12   Ubuntu might have more momentum behind

00:23:14   it so I actually just I just managed my

00:23:18   first Ubuntu server recently and it's

00:23:21   it's things are a little bit different

00:23:23   but I was able to figure it out

00:23:24   so between sent OS and Ubuntu you can't

00:23:27   really go wrong turn on auto updates for

00:23:31   as much of a system software as it makes

00:23:33   sense to do that for usually every major

00:23:35   district has a way to do this it's very

00:23:37   straightforward that will take care of

00:23:39   most security problems for you if you

00:23:42   basically are not an idiot which you're

00:23:44   not trust me you know if you're not an

00:23:46   idiot and if you leave things mostly at

00:23:48   their defaults with the distro and what

00:23:50   it comes with modern Linux distros are

00:23:52   very secure by default because they know

00:23:54   that that matters like the default

00:23:56   matter so they've all adopted pretty

00:23:58   conservative and pretty secure defaults

00:24:00   for the most part keeping things updated

00:24:02   automatically is very easy and things

00:24:04   like that on a other high level stuff

00:24:06   only run the software that you need to

00:24:08   be running and they're all very good at

00:24:10   letting you manage this so like if you

00:24:12   have a server that you have your website

00:24:13   on don't also install like well let me

00:24:16   install FTP so I can like trade files

00:24:18   with my friends like no just leave that

00:24:19   off that's just of just a liability it

00:24:20   just don't do that

00:24:21   you know install what you need to

00:24:22   install and if you want to play around

00:24:24   with different things you can create a

00:24:26   second VPS for like five or ten bucks a

00:24:27   month and play around on that don't play

00:24:29   around in your main servers run only

00:24:31   what you need to be running on them take

00:24:33   advantage of the built in isolation in

00:24:36   Linux machines especially with regard to

00:24:39   networking almost every service that

00:24:43   you'll be running will have some kind of

00:24:44   like listening port where you can say

00:24:45   alright this database should listen on

00:24:47   this interface on this port if you only

00:24:49   have one server make this make the

00:24:52   internal stuff listen on localhost so

00:24:53   that you can't log into MySQL from

00:24:56   outside like you shouldn't need to do

00:24:58   that anyway you should be doing things

00:24:59   on the server if you need you know

00:25:00   management stuff lock that down if you

00:25:02   have multiple servers use use private

00:25:04   networking every host that's worth their

00:25:06   salt support the private networking

00:25:07   between your between your own machines

00:25:09   so if you have multiple servers need to

00:25:11   talk to each other have them talk to

00:25:13   each other only over private interfaces

00:25:15   have things like MySQL or memcache

00:25:17   listen-only on private or our local

00:25:19   interfaces that helps a lot just make it

00:25:22   don't don't rely on like being your

00:25:24   password secure make it so that

00:25:26   passwords don't even work from the

00:25:28   outside so that also applies to things

00:25:30   like SSH when you're doing login remote

00:25:32   login so disable root logins once you

00:25:34   have a user set up had that user have

00:25:36   sudo access with the password and then

00:25:38   that user account that you're logging in

00:25:40   as say you're logging in as David make

00:25:41   that the only user that can log in via

00:25:43   SSH and make that key authentication

00:25:45   only disable password authentication in

00:25:47   SSH this is very simple stuff to do you

00:25:50   can Google how to do it so that right

00:25:53   there you have no way to log in with a

00:25:55   password you have to have the the

00:25:58   encryption key to log in that knocks out

00:26:00   massive you know brute force

00:26:02   possibilities and everything that helps

00:26:04   so so much between that and private

00:26:07   networking for private services you

00:26:09   really eliminate a lot of problems now

00:26:11   moving on slightly to user data collect

00:26:15   as little user data as possible to get

00:26:17   your job done because worst case

00:26:20   scenario somebody hacks into your server

00:26:22   worst case scenario they take your

00:26:24   database what do they have think about

00:26:27   it when you're designing your when

00:26:28   you're designing your database you're

00:26:29   designing your service what information

00:26:31   do you really need from people and what

00:26:32   can you get away with not having

00:26:34   if you don't need to get people's email

00:26:36   addresses don't get their email

00:26:37   addresses if you like if you're taking

00:26:39   passwords from people hash those so that

00:26:41   you know people aren't getting like just

00:26:43   the md5 like for God's sake don't do

00:26:45   that like you know use secure password

00:26:47   hashing like be Krypton strong settings

00:26:48   there is lots of good practices for this

00:26:51   lots of things to tell you how to do

00:26:52   this I've considered even for overcast

00:26:53   like I do have the email addresses for

00:26:56   people because I figure yeah I need to

00:26:57   be able to I have email addresses and I

00:26:58   have hashed passwords with a strong

00:27:00   bcrypt but I'm like I've been thinking

00:27:02   recently do I even need the email

00:27:03   address could I could I have that too

00:27:06   cuz then then you have like if you steal

00:27:08   my database you just have no email

00:27:10   addresses like that would be amazing and

00:27:11   I was thinking like the only if you hash

00:27:14   the email address so it works just like

00:27:15   that you like the password basically

00:27:16   then you could still have logins you can

00:27:19   still have password resets the only

00:27:20   thing you really can't do is I can't

00:27:23   like email people randomly out of my

00:27:25   database but I've never done that I

00:27:27   don't send a newsletter I don't do it

00:27:29   like I don't do any that stuff so you

00:27:32   know stuff like that

00:27:32   think about just like what data you have

00:27:34   what you're collecting and what you can

00:27:35   afford not to collect simple security

00:27:39   measures beyond that you know you should

00:27:41   have database backups you should also be

00:27:43   encrypting those backups there's

00:27:44   built-in stuff there's a crypt command

00:27:46   you can pipe thar through and everything

00:27:47   like this really simple stuff on unix to

00:27:49   do all this very securely make sure

00:27:52   though that you are testing these

00:27:54   backups make sure you can decrypt them

00:27:55   it's so that's very important don't

00:27:58   store the encryption key only on the

00:28:00   server because then if that server gets

00:28:01   wiped or gets lost or whatever you've

00:28:03   lost your data and your backup

00:28:05   decryption key that's no good one

00:28:09   strategy I employ there is I write my

00:28:11   database backups I copied them onto a

00:28:14   write only s3 account so like the the

00:28:18   account the credentials that are on the

00:28:19   machines can only write to the bucket

00:28:21   they can't read or delete from it so

00:28:23   that way if somebody hacked into the

00:28:24   machine they can't also go and delete on

00:28:26   my backups so I have a separate you know

00:28:29   separate credentials that I can that I

00:28:31   can pull the backups off of there and

00:28:32   restore that never live on my servers

00:28:34   those those stay like with me and my

00:28:36   personal documents those never live on

00:28:37   the servers so you know keep things as

00:28:39   secure and separate as you can just by

00:28:41   design like this and that's really about

00:28:44   it for basic security stuff it really is

00:28:47   not as

00:28:48   as you think and you don't have to do

00:28:50   very much you don't have to like

00:28:52   constantly keep on top of your servers

00:28:54   and be constantly baby suddenly for the

00:28:55   most part you set it up and it basically

00:28:57   runs itself and if you set it up with

00:28:59   sensible default using conservative

00:29:01   software and some basic security

00:29:02   settings like what I've said here

00:29:04   you can be pretty much fine yeah exactly

00:29:07   and I think that it's the kind of thing

00:29:08   that if you can't do this kind of thing

00:29:12   and if like if everything that Marco

00:29:14   just ran through like is complete

00:29:16   gibberish to you like you should

00:29:17   probably do something about that it's a

00:29:19   good it's an important skill to be a

00:29:21   developer to understand some of these

00:29:22   basics they sort of like the

00:29:24   fundamentals that run the internet like

00:29:26   you should understand what this is and

00:29:28   you know just sort of take control of

00:29:30   that and you know I just I just get a

00:29:33   five-dollar like VPS somewhere and start

00:29:36   messing around and start seeing you know

00:29:38   learning cuz that's how most people even

00:29:39   people learn this stuff you just start

00:29:41   doing it and you get better at it

00:29:42   alright we're out of time this week

00:29:44   thanks for listening everybody and next

00:29:46   week we're gonna go into a little more

00:29:47   detail about our server setups lessons

00:29:50   we've learned and how to minimize the

00:29:51   workload we'll see you next week okay