Archive for the 'Rants' Category

A few words of advice for used equipment sellers

I purchase a good deal of used electronic equipment for both work and personal use. Some of that equipment comes from eBay, some is purchased from companies who sell used equipment for a living. The two aren’t mutually exclusive, of course – there are a number of commercial vendors who sell through eBay as well as their own site.

Used equipment can represent a sizable savings over new, particularly when a manufacturer only has a “list price” and doesn’t offer discounts to any but their largest customers. Of course, you need to consider the cost of any required re-licensing (for example, on Cisco gear) when comparing the used price with new. But a large number of manufacturers make updates available for free to all, and in that cases you can often save a great deal of money. Most used equipment will come with at least a one-week warranty against being defective, but some sellers will offer a longer warranty – up to 1 year is common.

One of the best times for great deals is just as a device is no longer being sold as new by the manufacturer. There’s a further drop once the manufacturer no longer supports it with software updates, spare parts, and so on – but you probably don’t want to buy something that far along unless you plan to use it for spare parts yourself.

That’s the benefit to the buyer. But I’d now like to give some advice to sellers, both to ensure the largest market for their items and to avoid potential problems.

Getting the item ready for sale

  1. If the device has any configuration data, erase it before listing the device for sale.
    • Some devices have no way of resetting them to the default state unless the existing password is given, which means that if the seller doesn’t erase it before selling, the only way a buyer will be able to use it is if the seller is willing to tell them what the password is (not practical if it is the same password the seller is using on equipment they’re still using, or if they don’t know it). Otherwise, the device has to go back to the seller and the transaction voided.
    • Some other devices have a “reset the password only” option, or (insecurely) a “backdoor” password that works on all units. If the user does that, they will have access to the entire configuration of the device as the seller last used it – at a minimum, things like IP addresses, SNMP communities, and so on. Potentially even more sensitive information like access lists can be disclosed. Additionally, at least two major brands of devices have the (undocumented, but widely known) ability to read or decrypt the original password cleartext once a password recovery procedure is performed.
    • This is particularly important for disk drives and other storage media. Even if the drives were part of a RAID set, it might still be possible to recover chunks of data from individual drives. You can use a utility such as DBAN to erase drives that are still in the system. It offers a variety of erasure options, from a simple “write zeros to the whole drive” to multiple erase passes with random data. Note that even with this type of erasure, it may still be possible to recover data from certain areas of the disk (replaced defective sectors, for example). If you (or your company) doesn’t want to take the risk, you can remove the drives – but read on for a suggestion about disk trays and mounting hardware.
  2. If you’re selling something like a server and your company policy requires removal of the drives before the sale, put the empty hot-swap drive trays back in the server instead of trashing them with the drives. If the trays require oddball hardware to hold the drives in, put the screws in a small plastic bag and tape them securely to the disk tray(s). The buyer will thank you as they won’t have to scavenge for drive trays to get the server running with new drives.
  3. Unless you’re explicitly selling the item “as-is” or “non-working”, please test it before listing it. Having a 14-day (or longer) “no questions asked” return policy is nice, but neither the buyer nor you want to deal with shipping defective items back and forth. For some items, this can simply be installing (or leaving) them in a system and seeing if they work. Mechanical items like disk drives need some additional testing. Modern drives (anything in the last decade or so) have S.M.A.R.T. testing built in, so it is a simple matter to use something like smartmontools to test the drive and see if it has any problems before listing it. Just today I received a pair of SAS drives, each with less than 30 power-on hours on them, which had over 50 media errors each and had been logging S.M.A.R.T. errors since new (the first failure was logged at 0 power-on hours).
  4. Along with the above, it would be helpful to update the device to the latest available firmware “while you’re in there”, if that is something the manufacturer allows. I’ve received devices that were so old that several intermediate firmware updates were needed to get them to the current revision. In a number of those cases, the intermediate updates were themselves so old that the manufacturer had removed them from their web site as obsolete. That requires the user to go on a “scavenger hunt” through potentially untrustworthy sites to try to find firmware. Another reason to update before selling is that in some cases, the update procedure will only work in the specific brand of equipment the device came from. An example is Dell network cards – the Dell Server Update Utility only runs on Dell-branded servers. Dell network cards are mostly-generic Broadcom, Intel, etc. cards but often have Dell listed in the PCI Vendor ID on the card. This means that generic firmware updates from the manufacturer may fail to recognize the card. To continue my example, even if the user is putting the card in a Dell server, unless Dell offered the specific option card for the user’s server, the appropriate Server Update Utility may not detect / update it.

Listing the item for sale

  1. Be as descriptive as possible when listing the item. To give a specific example of why this is a problem, look for “PowerEdge R300” on eBay. That model was available with or without hot-swap drives and with or without redundant power supplies. It is not possible to convert a chassis from any of those configurations to another. Many times a seller will just say something like “PowerEdge R300 Quad-core 2.33GHz 4GB 2x 146GB HDD”. That doesn’t convey much useful information – in addition to the chassis type, it would be useful to know the exact CPU model, whether the disks are SATA or SAS and if there’s an add-on disk controller in the system, and whether or not there’s a remote access card. This is made even worse by the sellers that say “Stock photo” or “Photo may not represent actual item”. To add insult to injury, some of those same sellers will say “if it isn’t in the picture, it isn’t included” in the body of the listing. Dell’s web site is pretty good – if you know the “service tag” of a system, Dell’s site will show you the configuration as it shipped from Dell. Of course, the seller or a previous owner may have added, removed, or modified components, so don’t take the Dell list as the last word. As the seller, you can go to the Dell site and copy/paste the configuration into your sale listing once you verify that it’s accurate.
  2. If you’re selling something that isn’t an add-on component (like a network card or a disk drive), but can function as a standalone device (like a server, Ethernet switch or network-controlled outlet strip), provide all of the necessary accessories with it or explain clearly that they’re missing. This definitely includes rack mount ears/rails (if the device is rack mountable) and console cables (no two vendors do exactly the same thing once you get to anything newer than 9-pin serial connectors). If the device has cable-management hardware (bracket, etc.) and you have it, include that with the item. Likewise for the faceplate. It is also thoughtful to include the required power cord, at least if the seller and the buyer use the same type of electrical outlets. This isn’t vital, as there are a small number of possible mating power cords for modern equipment. But the buyer will usually appreciate your thoughfulness, particularly if it is an unsual cord like an IEC C20 and they have to order one once they receive your shipment.

Shipping the item to the buyer

Pack the item well, preferably using the original manufacturer packaging (if still available). You’d be amazed at the way some stuff arrives here. I’ve received memory DIMMs ratlling around loose inside a cardboard box. I’ve received servers where parts of the chassis were dented or damaged (usually parts that protrude beyond the basic rectangular shape, but sometimes the main chassis itself). I’ve received devices with glass faceplates that were smashed. I’ve received boxes where the cardboard was too thin for the weight of the item and has ripped during normal handling, with accessories falling out of the box and being lost in transit.

I’d like to be able to say “just take the item to your nearest parcel store and have them pack and ship it”, but that’s generally not a good idea. It seems that their solution for shipping anything is a thin-wall cardboard box and packing peanuts. Those peanuts are not acceptable for anything that might shift around or settle in the box. With enough practice, it is possible to ship fragile items using common materials – I have purchased many items from ex-Soviet countries where the contents were packaged entirely (but carefully) in newspaper and placed in a cardboard box and which arrived here in perfect condition despite their international travel and the rough handling of various foreign postal services.

Large items are generally either heavy or are light enough that they get charged “dimensional weight”, where the shipping company charges the package as if it weighs a certain amount per cubic inch. In general, the cost of reasonable insurance (value up to some hundreds of dollars) will be a small part of the total shipping cost, so it makes sense to insure the package. If you have to file a claim, be aware that you will often be asked to provide proof of adequate packaging before the shipping company will process the claim. I know of one company that took pictures of each box while it was being packaged and retained those pictures, both to deal with shipping damage claims and to prove that a certain item was in the box when it was shipped.

Conclusion

If, as a seller, you follow these steps I think you will find that your items will sell faster and your customers will be happier. And if I’m the customer, I’ll definitely be happier.

Dell PowerEdge R300 ESM / BMC firmware updates on non-supported operating systems

Dell has generally been quite good about making firmware updates available in a variety of formats. In addition to the normal Windows and Linux versions, most patches are also available as a floppy / USB image or an ISO image (depending on size). Those of us who don’t run one of the operating systems Dell provides support for appreciate them going through the trouble.

However, newer updates for older systems and updates for newer systems seem to no longer provide standalone installers. In theory, Dell provides a quarterly packaged roll-up of all available updates on a pair of DVD images (CDU and SUU). Booting these and wasting about 10 minutes switching discs should get your system updated to the latest versions of all firmware without any additional steps.

Unfortunately, the firmware for the R300’s ESM / BMC has not been on any SUU discs I’ve looked at, and the update is listed as “Critical Security Update” on Dell’s site (look under ESM on the R300’s downloads and drivers page). The only two formats it is available in are “Windows Update Package” and “Linux Update Package”. I figure that’s not a problem, as I can boot a Windows 7 recovery disk and then run the ESM update from a USB drive. Unfortunately, that doesn’t work. You get an error about “unsupported operating system”.

Next, I boot the CDU DVD and select F3 for Advanced Options. This eventually gets me to a Linux shell prompt (CDU/SUU operates under Linux). I mount the USB drive and execute the Linux version of the ESM update. That errors out with “Not compatible with your system configuration” for some unknown reason. Time to investigate further…

Clicking on “Previous Versions” on the Dell page shows the previous version as 2.46 from 2009. Looking at the available formats, one is listed as “Hard-Drive”. Depending on the mood Dell is in when they create the kit, this could be anything from a freestanding binary that writes a floppy image to a drive, to creating an ISO file, or something that just unpacks into a bunch of loose files somewhere, perhaps then trying to run them (incorrectly) on the local system.

I downloaded that file (link here) and discovered it created 3 useful files when it was executed:

  • bmcfl16d.exe – a DOS-based flash utility
  • bmccfg.def – some sort of configuration file
  • bmcflsh.dat – the actual firmware to be flashed

Now all I needed to do was to find newer versions of the last 2 files inside either the Linux or Windows installer. The Linux installer was a pain, and I quickly gave up on it. I had much better luck with the Windows version (link here). Despite being an EXE file, I was able to use WinZip 16.5 to open the file (browse to the directory where you downloaded the Dell update, then make sure you’ve selected “All files (*.*)” in WinZip’s Open Archive dialog). There’s a whole load of un-needed stuff in there (which doesn’t completely explain how a 655KB update turns into a 4800KB Windows binary). Find the bmccfg.def and bmcflsh.dat files and extract them on top of (replacing) the ones from unpacking the older download.

I copied the 3 files onto a bootable USB stick and then used that to boot the R300 to be updated. Here are some screnshots of the various stages of the procedure (it’s very simple – just answer Y or N when asked if you want to perform the update):



If the firmware is already at the latest revision, the utility will tell you that and exit. This can also be used to double-check that the update was successful:

That’s all there is to it. If you want a pre-built .ZIP file with the flash utility and the 2.50 image, I have placed one here for your convenience.

Advanced topics

The bmcfl16d.exe utility has a number of documented and undocumented additional features. You can use the -help option to get a list of the documented features. Before using one of these features when updating a system, be sure you know what you’re doing and have a fallback plan in case the update fails and you’re left with a non-operable system.

There is also an undocumented -advhelp (advanced help) option, which shows the additional undocumented options:

The above caution about knowing what you’re doing and having a fallback plan is doubly important if you try using any of the advanced options.

SOPA (and Go Daddy’s FORMER support for it)

Updated 23-Dec-2011 18:30: I received an email response to my letter stating that “Go Daddy is no longer supporting SOPA”. I’ll attach the complete response as the first comment to this post.

There had been a bit of an Internet buzz about SOPA (the Stop Online Piracy Act). Yesterday, Tom’s Guide reported that Go Daddy published a blog entry supporting SOPA. There are a number of sites organizing “boycott Go Daddy” programs and advocating the transfer of domains to other registrars, for example in this post on Reddit and this one on TechCrunch.

As someone who has registered a number of domains with Go Daddy, I wrote them a letter expressing my dissatisfaction with their policy. I’m including it in this blog entry, as I feel that others need to see it as well. Feel free to submit comments (either agreeing or disagreeing with me, but please keep it civil). Hopefully I’ll be able to keep comments open on this post without it degenerating into a free-for-all.

Date: Fri, 23 Dec 2011 00:36:45 -0400 (EDT)
From: Terri Kennedy <TERRY@glaver.org>
Subject: A hopefully more-reasoned SOPA comment from your customer
To: oop@godaddy.com, suggestions@godaddy.com
MIME-version: 1.0

  I read your “Position on SOPA” blog, but since comments are closed there (for obvious reasons), I felt I needed to contact you to tell you my feelings on the subject.

  I’m retired these days, but I’ve been in the computer business since the mid-1970’s. I’ve been an owner or principal of hardware companies, software companies, and ISP’s in the last 40 or so years. There’s no reason for me to mention the names of any of them – some you’ve never heard of, some are quite well known.

  I (and my companies) have suffered economic losses from software piracy (though in those days, we called it “stealing”). So I support REASONABLE anti-piracy measures. However, as currently proposed I feel that SOPA is not a reasonable measure.

  It would force service providers and registrars to act as enforcement agents without requiring the complainant to provide a reasonable justification for the enforcement action. It is essentially a conviction without a trial or defense. Even the much-maligned DMCA provides for the accused to assert a counter claim. Under SOPA, the accused may not even know that they are the subject of an action, until they hear from their customers that their site is inaccessible.

  Under existing legislation, we already have already seen a number of instances where the DMCA was maliciously or inadvertently used to remove or render inaccessible content. In fact, GoDaddy was involved in a recent high-profile instance with vividwildlife.com: http://www.photoattorney.com/?p=3247

  There was also a recent instance where UMG asserted rights to a song, and claim to have a “private arrangement” “outside the DMCA” with YouTube which lets them remove items, thereby stripping away the protections afforded by the DMCA. I am referring to the Megaupload Mega Song, as documented here: http://torrentfreak.com/megaupload-youtube-and-the-dmca-less-mega-song-takedown-111216/

  Further, SOPA appears to be just another escalation in a technological “whack-a-mole” arms race. As John Gilmore famously said, “The Net interprets censorship as damage and routes around it.” In my opinion, this technological warfare accomplishes nothing to prevent illegal acts, especially not ones performed by “commercial” counterfeiting groups and similar organized operations. It just makes life more difficult for the paying customers. Perhaps you’ve seen the “If you are a pirate, this is what you get” image:
http://cdn-www.i-am-bored.com/media/7125_piratemoviechart.jpg

  I would be much happier if you reserved your support for SOPA until it exists in a more balanced and practical form. In your own blog post, you use phrases like “changes we believe are necessary” and “room for some improvement”. As you repeatedly emphasize in your blog, you have over 50 million domains and a full-time presence in Washington. That gives you a very strong position to advocate changes to SOPA which would be more effective while still preserving the rights of the accused.

  I encourage you to reconsider your support of SOPA in its current form, and to work toward modifying it so that it will be both more effective in combating real infringing activities while also greatly reducing the chance that it will be abused.

         Sincerely (your customer),
         Terri Kennedy        http://www.glaver.org
         terry@glaver.org      New York, NY USA

BitTorrent DNA – A *REALLY* Bad Idea

As part of my computer upgrades (see my other blog posts), I had made a list of the software installed on my old computer. I visited the various distribution sites and downloaded and installed the latest versions of everything.

While the new computer was sitting idle, I started getting popups from Spyware Doctor informing me that “Spyware Doctor has blocked access to a bad web site”. The threat listed was “Trojan.Storm_Spam_Server”. Now, I didn’t have any Internet Explorer windows open (in fact, nothing was running except the utilities I run at startup – which doesn’t include the BitTorrent client).

Doing some poking around with WinDump led me to the btdna.exe process in \Program Files\DNA. Oddly, this process couldn’t be killed from Task Manager – I had to rename the executable and reboot the PC.

Once I did that, the Spyware Doctor popups stopped. I proceeded to deinstall both BitTorrent and DNA from my system, and they won’t be coming back.

I’ve been a casual user of BitTorrent for quite some time, mostly for downloading things like FreeBSD distribution ISOs. But this new behavior is inexcusable, for a number of reasons:

  • The application starts without the user’s permission – even if the user selects to not run the BitTorrent client at startup, btdna starts.
  • There doesn’t seem to be any way to shut it down permanently without deinstalling it.
  • It is interacting with many known bad sites – who is going to vouch for the program’s security?
  • Why is it interacting with any sites at all? I never started a download or viewed any content that it could “accelerate”.
  • Why is it stored in \Program Files\DNA? Is this an attempt to conceal that it is related to BitTorrent?
  • Upon viewing the official BitTorrent DNA web site, they claim that this is an accelerator that content providers can purchase access to in order to shift the burden of delivering content onto viewers. Yet the end user isn’t informed that this is happening. This is good for the content providers and BitTorrent. What’s in it for the user? Particularly if the user pays per KB of data transferred through their ISP (as in the case of a mobile user with a wireless network card, for example).

All in all, this strikes me as a really bad idea. My suggestion is to deinstall the DNA service (Start / Control Panel / Add or Remove Programs / DNA should do it, but you might want to check your \Program Files\DNA directory after deinstalling, just in case). Depending on whether you’re as disturbed about this as I am, you might want to deinstall BitTorrent as well and look at a different Torrent client.

UPS sucks, yet again…

I stayed home today to receive a package that was scheduled for delivery today. The status didn’t update on the UPS web site until after 7 PM (the time at which corporate magically loses the ability to contact the local UPS facility). Then the status changed to “THE RECEIVER WAS UNAVAILABLE TO SIGN ON THE 1ST DELIVERY ATTEMPT.” This despite the fact that I was home all day and the doorbell never rang and no notice was left at the door, and the claimed delivery attempt was at 2:59 PM, when the UPS driver never gets here before 5:30 PM. Since this fiasco is still in progress, I don’t have any additional info for this rant. However, you might like to look at this PDF file, which documents an “Early AM” shipment from last year which took a vacation from Newark to Kentucky and back to Newark, which “inexplicably” delayed its delivery. Another example of stellar UPS service (not!).