A Note About Small Sites

Small snort-deployments don’t require much planning. Almost any system or virtual-machine will suffice to experiment with Snort on a DSL or cable internet connection with a bandwidth of 5-10Mbits/sec, just jump right in. If you need to monitor 50-100Mbits/sec of network traffic, or 5-10Gbits/sec of network traffic, then this guide can help you size you size your sensor hardware.

Know Your Site

It helps to know a few things about your site before you start planning.

What link(s) do you intend to monitor?

The most common way to get started is to monitor your internet link(s). Many organizations also expand to monitor some internal links: data-center routers, site-to-site links, or networks with VIP workstations. Unless you know what you’re doing, I suggest starting with your internet links and expanding once you’ve got that performing well. There are generally far fewer internet links to consider, and they are often much lower bandwidth than internal links which can make your first deployment simpler.

Link Locations

Life is simple if you have a single internet connection at a single site. If your network is more complicated then you’ll need to work with the team that manages your routers. They can help you figure out how many locations will need to get a sensor and how many capture interfaces each of those sensors will need to monitor the links at that site.

How much traffic do you need to monitor?

The single biggest factor when sizing your snort hardware is the amount of traffic that it must monitor. The values to consider are the maximum burst speed of each link, and also its average daily peak. It’s common to have burst capacity well in excess of actual usage and when you design your sensors you must decide what traffic level you’re going to plan for. Planning for the burst value ensures that you won’t drop packets even in a worst-case scenario, but may be much more expensive than planning for the average daily peak.

For example, it’s common to contract with an ISP for 100Mbits/sec of bandwidth that is delivered over a 1000Mbits/sec link. The average daily peak for such a link may be 60Mbits/sec, but on rare occasions it may burst up to the full 1000Mbits/sec for short durations. A sensor designed for the relatively small amount of daily peak traffic is inexpensive and simple to manage, but may drop 80% of packets or more during bursts.

If MRTG or Nagios graphs of router utilization are available, they can be very helpful in capacity planning.

Inline, Tap, Span, or VACL Capture

There are various ways to extract traffic for examination. Inline deployments where Snort is used as an intrusion prevention system should be treated with great caution because sizing problems and configuration issues related to Snort can cause network problems and outages for all your users. When running a detection configuration in conjunction with taps, spans, or VACL captures, Snort problems generally don’t cause user-facing network outages are a much much lower risk.

Security teams generally favor taps due to their consistent performance even when a router is overloaded, but there are successful Snort deployments that utilize all of the above methods of obtaining traffic for inspection. Ntop.org has a good document on making the tap vs span decision, and the wikipedia page on network taps provides informative background as well.

Operating System Expertise

Consider what operating systems your technical staff have expertise in. It is common to run high-performance Snort deployments on various Linux distributions or on FreeBSD. At one time, FreeBSD had a considerable performance advantage over equivalent Linux systems but it is currently possible to built a 10Gbit/sec deployment on Linux or BSD based systems using roughly equivalent hardware.

I recommend against deploying on Windows because not all Snort features are supported on that platform. Notably, shared-object rules do not function on windows as of Snort 2.9.0.5. While there are far fewer shared-object rules than normal “GID 1″ rules, and they are released less frequently, they can still be a useful source of intelligence.

I also recommend against deploying Snort on *nixes other than Linux or BSD. Although Snort may work well on these platforms, the community employing them is much smaller. It will be much more difficult to find guidance on any platform-specific issues that you encounter.

It’s worth mentioning that my own experience is with high-performance Snort deployments on Linux, and parts of this post reflect that bias.

Single-Threading vs Multiple-CPUs

Snort is essentially single-threaded, which means that out of the box it doesn’t make effective use of multiple CPUs (technically there is more than one thread in a snort process, but the others are used for housekeeping tasks that don’t require much CPU power, not for scaling traffic analysis across multiple CPUs). As of August 2011, Snort on a single-CPU can be tuned to examine 200-500Mbits/sec, depending on the size of the ruleset used.

It’s possible to scale to 10Gbits/sec by running multiple copies of snort on the same computer, each using a different CPU. A multi-snort/multi-CPU configuration is quite a lot more complex to manage than a single-cpu deployment. Traffic from high-capacity links must be divided up into 200-500Mbit/sec chunks that can be examined by a single CPU, techniques to perform this load-balancing are discussed in the next section. Additionally, startup-scripts often must be customized and it can be difficult to manage multiple configuration files and log files. In spite of the management complexity, large organizations have successfully managed high performance Snort deployments this way for many years.

Suricata is a relatively new project that is well-worth keeping an eye on. It has a multi-threaded architecture that makes effective use of multiple CPUs, but is not as CPU efficient as Snort as of Suricata 1.0.0. As such, Suricata on a large multi-core system is much faster than Snort running on a single CPU, but about 4x slower than many Snort instances running on that same multi-core system. As Suricata matures, performance will improve. Additionally, managing a single Suricata instance is simpler than managing many Snort instances.

Traffic Capture Frameworks

Snort is a modular system that supports many frameworks for capturing traffic, but not all of them scale equally well.

AFPACKET

The default capture framework on Linux since Snort 2.9, afpacket provides no features to load-balance traffic between multiple instances of snort running on multiple CPUs. As such, it can’t scale beyond 200-500Mbits/sec of throughput without some external technique to balance the load between several network interfaces. Even with this limitation, afpacket is the simplest and best choice for snort deployments with less than 200Mbits/sec of traffic.

Libpcap 0.9.x

The default capture framework on Linux for the Snort the 2.8.x series and prior, libpcap is very similar to afpacket from a user-perspective. It also lacks a built-in load-balancing feature, and can scale to a few hundred Mbits/sec of traffic. Consider upgrading Snort and using afpacket instead.

Libpcap >= 1.x.x

Around 1.0.0, libpcap introduced an mmapped feature designed to improve capture performance. Unfortunately the feature backfired and reduced performance due to a hard-coded buffer-size that is too small for most sites. Use afpacket instead unless you know what you’re doing.

PFRING and TNAPI/DNA

Pfring is a linux kernel-module that provides load-balancing through its ring clusters feature. It additionally supports several capture cards through its TNAPI/DNA high-performance drivers, which are available for $200-250 from the ntop store. Pfring, used in conjunction with a TNAPI-compatible network interface, is the least expensive method available to load-balance traffic to several instances of Snort running on several CPUs, and can scale to 10G on appropriate hardware.

High-Performance Capture Cards

Endace and other companies manufacture high-performance capture cards with integrated drivers that have load-balancing features. Depending on speed and features these cards can cost anywhere from $2,000-$25,000, and at the high end scale to 10Gbits/sec. Most of my high-performance Snort experience is on Endace hardware, which has its niggles but generally works very well.

Sourcefire 3D Hardware

Last, but certainly not least, Sourcefire sells snort hardware that is throughput rated and can simplify much of your planning. Managing a multi-Snort deployment is a lot of work, and Sourcefire has designed their systems to provide the power of Snort with an easy to manage interface, plus some features like RNA that are only available via Sourcefire. They’re more expensive than similar hardware to run open-source snort, but they may be more cost-effective in the long-run unless your organization has a do-it-yourself culture with time and technical expertise to tackle a complex open-source Snort deployment.

Traffic Management Techniques

The following traffic management techniques can be used in conjunction with the capture frameworks above to provide additional flexibility.

Hardware Load-Balancers

Gigamon, CPacket, and Top-Layer produce specialized network switches that can perform load-balancing to multiple network interfaces. The port-channeling feature of retired Cisco routers can be used to similar effect. These devices can be used to distribute traffic to multiple network interfaces in a single server or even to multiple servers, possibly scaling beyond 10G (I haven’t tested beyond 10G). I’ve worked with both Gigamon and Top-Layer hardware and found that they both do what they claim, although only Gigamon offers many 10Gbit/sec interfaces in one device. CPacket has been used by knowledgeable peers of mine and offers a unique feature that allows you to use any vanilla network switch to expand the port count of their load-balancer by using mac-address rewriting. These systems are fairly expensive, typically carrying 5-figure price tags, but often can be put to many uses in a large organization.

Manual Load-Balancing

Sometimes, traffic can be manually divided simply by configuring routers to send about half of your networks over one port and half over another. This “poor man’s” load-balancing can be cost-effective for links that are just a bit too large for one network interface.

Linux Bonded Interfaces

The opposite of load-balancing, if you have several low-bandwidth interfaces that you would like to inspect without the overhead of managing multiple copies of snort you can use bonding to aggregate them together as long as the total throughput isn’t more than a few hundred Mbits/sec.

Sizing Hardware

Now that you know how many locations you need to place a server at, how many links there are to monitor at each location, and what capture-frameworks can work for you, it’s time to choose your servers.

CPU

A very rough and conservative rule of thumb is that Snort running on a single CPU can examine 200Mbits/sec of traffic without dropping an appreciable number of packets. Snort can examine 500Mbits/sec of traffic or even much more on a single CPU with the right networking hardware and a very small or very well-tuned ruleset, but don’t count on achieving that kind of throughput unless you have tested and measured it in your environment. Martin has posted a more detailed CPU sizing exercise on his blog if you’d like to dig a little deeper.

Remember that snort is single-threaded. Unless you plan to use a load-balanced capture-framework, single-CPU performance is more important than number of cores. Alternately, if you know that you have lots of traffic to monitor, you’ll need a multi-core system paired with a load-balanced capture framework. Snort scales very linearly with the number of cores you throw at it, so don’t worry about diminishing returns as you add cores.

RAM

Each snort process can occupy 2Gbytes-5Gbytes of ram. How much depends on:

• Traffic – The more traffic a sensor handles, the more state it must track. Stream5 can use anywhere from a few Mbytes to 1Gbyte to track TCP state.
• Pattern Matcher – Some pattern matchers are very CPU efficient, and others are very memory efficient. The ac-nq matcher is the most cpu-efficient, reducing CPU usage by up to 30% over ac-split, but adding over 1Gbyte of ram usage per process.  The ac-bnfa matcher is quite memory efficient, reducing ram usage by several hundred Mbytes per process, but increasing CPU usage by up to 20%.
• Number of rules – The more rules that are active, the more memory the pattern matcher uses.
• Preprocessor configs – The stream5 memcap is one crucial factor for controlling memory usage, but all preprocessors occupy memory and many can be configured to be conservative or resource-hungry.

A Snort process inspecting 400Mbits/sec of traffic, with 7000 active rules, using the ac-nq pattern matcher (which is memory-hungry), and a stream5 memcap of 1Gbyte uses about 4.5Gbytes of RAM. With a smaller ruleset and the ac-bnfa pattern matcher (which is memory-efficient), I’ve observed snort processes use about 2.5Gbytes of RAM.

Note that the operating system and other applications will need some RAM as well, and if you don’t have unusual needs 2G is generally plenty. A detailed discussion of RAM sizing for the database is beyond the scope of this post, but generally for a multi-snort deployment it’s worth putting the database on a separate server that has 1-4Gbytes of RAM.

Disk Capacity and I/O

Snort generates very little disk I/O when outputting unified2 logs. Similarly barnyard2 generates very little I/O when reading them. Any hard-disk configuration, even a single low-rpm disk will meet snort’s performance needs.

A detailed discussion of the database I/O needs is beyond the scope of this post. Again, most multi-snort sites should consider putting the database on a different server.  I/O needs will vary depending on the alert-rate, the number of users querying the database, and the front-end used, but in general a 4-disk raid-10 will suffice even for a large multi-gigabit deployment. Small sites with only a few hundred megabits/sec of traffic could even use a single-disk if it meets their availability requirements.

Administrative Network Interface

Snort doesn’t generate a notable amount of network traffic on the administrative interface unless you’re connecting to the database over a low-bandwidth wan-link. Any network interface that is supported under Linux will suffice for even the largest 10Gbit/sec deployments.

Capture Network Interfaces

Each site has widely varying requirements for capture interfaces, so it’s difficult to make generic recommendations. Consider the following factors:

• Have enough servers to put one at each site where there is a link to be monitored.
• Have enough interfaces in each server to monitor the number of links at its site.
• Ensure that each interface is fast enough to monitor the link assigned to it without dropping packets.
• If any individual link exceeds about 200Mbits/sec, employ a capture framework that features load-balancing and select a compatible interface.

PCI Bus Speed

At multi-Gbit/sec traffic rates, it is possible to saturate the PCI Express bus. Each PCI Express 16x slot has a bandwidth of 32Gbits/sec (4Gbytes/sec), 8x slots are half that, and 4x slots are half again.Theoretically, each slot has dedicated bandwidth such that two PCI Express 16x slots should have a combined bandwidth of 64Gbits/sec, but in practice the uplink between the PCI Express bus and the main memory bus is different in each motherboard chipset and may not be fast enough to provide the full theoretical bandwidth to every slot.

Bus saturation is only a potential issue at very high traffic rates, either involving multiple 10Gbit/sec links or inspection of a single 10Gbit/sec link with multiple sensor applications. Be prepared to split sensor functionality across multiple servers if testing shows unexpected performance bottlenecks that might be related to bus saturation. Hardware load-balancers such as those sold by Gigamon can be useful to duplicate and load-balance very high traffic rates to multiple 10Gbit/sec sensors.

Putting It All Together

There are many factors to consider listed above, but 80% or more of cases fall into a few broad classes that can be summed up briefly:

1. One or two links, 200Mbits/sec or slower – Almost any server you buy today can handle this. Get 2-4 cores, 8 Gbytes of ram and 2-4 network interfaces of any type if you want to maximize your options.
2. One or two links, 200-400Mbits/sec – You should consider multi-snort load-balancing with PFRING or another suitable capture framework. If you’re going try to feed this traffic to a single-snort instance in order to avoid the maintenance overhead of multi-snort, get the highest-clocked fastest single-CPU that you can find, otherwise any system with sufficient RAM will work well.
3. One or two links, 500-1000Mbits/sec – You need multi-snort, consider pfring and with a TNAPI compatible network interface listed on ntop.org.  You’ll need 2-4 snort processes, which means 10-20Gbytes of ram and a quad-core system.
4. One or two links 1-10Gbit/sec – You definitely need multi-snort with high-performance capture hardware. I’m partial to Endace, but pfring with a 10G TNAPI-compatible card should also work. You need 1-core and 4Gbytes of ram for every 250Mbits/sec of traffic that you need to inspect. Alternatively, consider a Sourcefire system. If you’re just getting started with Snort this is going to be a big project to do on your own.
5. Many links or greater than 10Gbit/sec traffic – Try to break the problem down into multiple instances of the above cases. A Gigamon box at each site may give you the flexibility that you need to split the problem across multiple servers effectively. You also might also need a moderately high-performance database server, properly tuned and sized.

Wrapping Up

Good luck with your new Snort server. Now go get some rules:

• Emerging Threats: Excellent for detecting trojans and malware that have successfully compromised systems on your network and are “phoning home”. The ET rules are available free of charge and anyone can contribute fixes or new rules if you find a gap or problem with the ruleset.
• VRT Subscriber Feed: Excellent for detection of exploits and attacks before they become compromised systems. The subscriber feed is developed and maintained by the experts on Sourcefire’s Vulnerability Research Team, and they charge $30/yr for a personal subscription or $500/yr for a business subscription.
• VRT Registered Feed: The registered feed contains the same rules as the subscriber feed, but updates are released 30-days after subscribers receive them. The registered feed is a reasonable alternative for personal use, but if you’re protecting a business I recommend the subscriber feed.
• ETPro: ETPro aims to supplement the ET community sigs with attack/exploit sigs similar to what the VRT provides. Pricing is $35/yr for personal use or $350/yr for businesses. I haven’t used it, though it’s on my todo list to try.

Once you’ve got things running, consider reading my slides on monitoring Snort performance with Zabbix to see how well you sized your system.

License and Feedback

If you find errors in this guide or know of additions that would improve it, leave a comment below.

Capacity Planning for Snort IDS by Mike Lococo is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available at http://mikelococo.com/2011/08/snort-capacity-planning/#license.

If you’d like to reuse the contents of this post but the cc-by-sa license doesn’t work for you for some reason, I’m happy to discuss offering the contents of this guide under almost any reasonable terms at no cost to individuals and corporations alike. Whether you work for Sourcefire, the OISF, or are just another community member writing a Snort guide, I’m happy to work something out that lets you use any portion of this post you need. Leave a comment below or contact me using the information on the about page if you’d like to discuss.

• A comparison of high-performance capture-frameworks like vanilla-libpcap vs pfring vs dedicated capture cards from Endace or similar.
• An overview of the perfmon preprocessor and the –enable-perfprofiling configure-option that allow snort to log useful performance metrics.
• A very brief overview of Zabbix as a system-monitoring framework, followed by some worked-examples of actual snort problems that are analyzed using data collected by Zabbix.

The presentation-video is available only to REN-ISAC membership, but I’m making the slides and my notes available here. They’re a bit rough, but if I get questions in the comments here or on the snort-users mailing list I’ll try to be helpful. If there’s enough confusion based on the roughness of the slides, and enough interest to warrant it I can expand the presentation into a series of blog-posts to clarify some of the points that are unclear. In the meantime, have a look at an article by Juliet Kemp that fleshes out some of this material called Use Profiling to Improve Snort Performance.

Update 2012-02-09: The notes for slide 16 of this deck assert that the averaging period for the “Drop Rate” provided by perfmon is the lifetime of the Snort process instead of the data-collection period, and warns of the type of confusion this can cause. That note is incorrect, the Drop Rate is averaged over the data-collection period like everything else. The misinformation was from my own research, dating back several versions of Snort. It’s possible that my original analysis was mistaken, or that I noticed a bug which has since been quietly fixed.

• I’ve migrated from Laughing Squid shared hosting to a linode virtual private server. Laughing squid has been good to me over the years, but I’ve gotten to the point where I really want a root shell on my web-server. And VPS’s have gotten cheap enough now to be a reasonable option.
• I’ve retired the WuCoco Theme. It’s also had a good run, but I don’t have time or interest in bringing it up to date with the latest WordPress features. I’m now using a mildly tweaked version of Twenty Ten, which will likely continue to evolve.
• General post, page, and link pruning.

This move should lay the groundwork to roll out some of the genealogy resources I’ve talked about wanting to make. When I’m done, there should be some mailing-list archives, a wiki, and maybe an image gallery… hopefully all authenticated via OpenID. We’ll see how it pans out, but preliminary tests have gone well so far.

I gave a presentation on virtualization security at the Educause Security Professionals Conference in April, and there seemed to be agreement and frustration about the lack of available survey material, which gave me the motivation I needed to polish up this paper for release.  It includes a basic taxonomy of virtualization technologies for security practitioners, an overview of attacks in virtualized environments, a list of best-practices with links to more detailed documents, and identifies areas where best practices haven’t yet been established.

Read Virtualization and Security Boundaries.

• Dual-core Processor: Both cores are detected on the 2.17GHz Intel Core Duo processor, the 32bit i686 smp kernel is installed and just works. Dynamic CPU frequency scaling works well and if you wish to monitor/change the scaling behavior there’s a gnome panel applet to do so. I haven’t tried the 64 bit build, but most reports I’ve read indicate that it works well.
• USB: Works, no config needed.
• PCMCIA Slot: Works, no config needed.
• Touchpad/Track Stick: Works, no config needed. Install gsynaptics from Extras if you want to customize the trackpad behavior.
• Suspend to Ram: How this works will depend on the options you ordered your laptop with and the video drivers you’re using. My understanding is that it will work fine out of the box with Intel graphics or if you’re using the open source NV drivers with your NVidia card, however both of these options have fairly poor 3D performance. With some tweaking, suspend can also be made to work when using the proprietary drivers that will allow you to have strong 3D performance with one of the Quadro cards offered in the D620. Classohm.org has detailed instructions (for the D800/F7, but they apply here as well). Since the NVidia cards offered in the D620 are PCI-E and not AGP, you can skip the AGP tweaks and just create the scripts in /etc/pm/config.d/. I’ve tested suspend with kernel 2.6.23.9-85/smp.
• Hibernate to Disk: Untested, please report if this works out of the box or if you have a link with instructions on any required tweaking.
• Ethernet: Works, no config needed.
• Wireless Networking: I didn’t have to jump through any hoops, other than to enable the network manager applet in order to avoid using iwconfig from the terminal all the time. Dawid Lorenz reports trouble that he solved by switching from the built in iwl3945 to the freshrpm’s ipw3945, which have worked well for me on previous versions of Fedora. Note that the awful Broadcom 4310 required ndis-wrapper to be supported in past versions of Fedora, I’m not certain what state it’s in today.
• Bluetooth: Works, no config needed.
• 2D Video: Works, no config needed.
• 3D Acceleration: The NVidia Quadro 110M works well after installing nvidia-x11-drv from freshrpms, bumping glxgears performance from ~900fps to ~2300fps. Don’t forget to install kernel-devel for your kernel version and reboot. Note that installing the proprietary drivers will bork suspend/resume until you fix it using the instructions above.
• External Monitor: If all you want is to switch to the external output instead of the internal LCD, you can do so easily right out of the box. Use the screen resolution control panel to set your resolution, and Fn-F8 to toggle between the displays. If you choose to install the NVidia driver, it includes a simple dialog for setting up multimonitor support using TwinView. TwinView isn’t perfect, windows maximize dumbly (across both displays) and if the resolutions of the two monitors are mismatched there’s an area where it’s possible to move the mouse and place windows that doesn’t show up in any monitor. All in all, it’s a bit lame but does get the job done in a pinch.
• CD/DVD Burning: Works out of the box. At one time this tweak substantially improved burn speed and system responsiveness while burning, I haven’t tested to determine if it’s still needed. Post a comment if you’ve done testing.
• Sound Playback: Works, no config needed.
• Sound Recording: Works, no config needed. If you’re not getting recorded sound, check the Volume Control app to make sure that capture is enabled and the recording level isn’t way down.
• Volume Keys: Now work out of the box. You can mess with the key bindings in System –> Preferences –> Keyboard shortcuts but they control volume without any tweaking now.
• Radio On/Off Switch: Works fine, and has a noticeable effect on battery life. You may need to “up” the interface with the connection manager of your choice if you enable the radio while the system is running.
• ACPI Power Management: All the power management features work (fan speed autoadjusts, cpu frequency scaling works, there’s a gnome applet to easily control it).
• Fingerprint Reader: Untested.
• Modem: Untested.

Output of lspci

00:00.0 Host bridge: Intel Corporation Mobile 945GM/PM/GMS, 943/940GML and 945GT Express Memory Controller Hub (rev 03)
00:01.0 PCI bridge: Intel Corporation Mobile 945GM/PM/GMS, 943/940GML and 945GT Express PCI Express Root Port (rev 03)
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 01)
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 01)
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 01)
00:1c.2 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 (rev 01)
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #1 (rev 01)
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #2 (rev 01)
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #3 (rev 01)
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #4 (rev 01)
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 01)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e1)
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 01)
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) SATA IDE Controller (rev 01)
00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 01)
00.0 VGA compatible controller: nVidia Corporation G72M [Quadro NVS 110M/GeForce Go 7300] (rev a1)
03:01.0 CardBus bridge: O2 Micro, Inc. OZ601/6912/711E0 CardBus/SmartCardBus Controller (rev 40)
09:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express (rev 02)
0c:00.0 Network controller: Intel Corporation PRO/Wireless 3945ABG Network Connection (rev 02)

It’s not always possible to ssh to a host directly. Many networks require high-value systems to be accessed via an intermediate bastion/proxy host that receives extra attention in terms of security controls and log monitoring. The added security provided by this connection bouncing comes with a cost in convenience, though. It requires multiple logins to access the protected systems and substantially complicates scp/stfp file transfers.

Fortunately, there are a number of ways to automate connection bouncing and make it as convenient as direct connection. There are already a number of web-sites detailing the approaches to this issue, and I won’t repeat their contents, to get a broad overview of the topic read the following:

• SSH Bouncing Part 1 from Hacking Linux Exposed
• SSH Bouncing Part 2 from Hacking Linux Exposed
• Using rsync through a firewall, the concepts in this document apply to all SSH setups, not just those integrating rsync

Terminology

SSH Connection “Chaining”

Connection “chaining” refers to any approach that involves sshing to an intermediate host, and then sshing from the intermediate host to the next host (for example: ssh 1 'ssh 2 "ssh 3"'). This solution is attractive for setups with many hops because it’s easy to extend, for example sshto makes this very easy. The primary disadvantage is that end-to-end encryption is lost. The connection is decrypted by every host in the chain, and an attacker with sufficient privilege on an intermediate system can sniff the connection without compromising either of the endpoints. I consider this to be a significant failing, and have a strong preference for “stacked” connections wherever they are logistically feasible.

SSH Connection “Stacking”

Connection “stacking” refers to any solution that involves tunneling ssh connections inside each other. “Nesting” strikes me as a better term, but stacking seems to be more widely agreed upon. It is typically implemented with proxy-commands or with ssh port-forwarding. It can be more difficult to manage for connections with many hops, and it forces one of the endpoints to bear the encryption load of all the connections (in chained setups, the load is spread evenly among all the hosts in the chain). It does maintain end-to-end encryption, preventing connection/credential sniffing by intermediate hosts.

My Setup

The key properties for my setup are:

• End-to-end encryption is maintained using stacked connections
• Only a single intermediate host is involved, the proxy features I utilize do not trivially scale to longer connection paths
• Putty is used for shell connections, and WinSCP is used for scp/sftp connections
• No special software is required beyond a default Putty installation, WinSCP, and an SSH server with port forwarding enabled. Specifically, netcat is not required on the intermediate host as is common with ProxyCommand setups.

WinSCP Config

The WinSCP Config is quite simple and utilizes its “tunnel” feature. Open WinSCP and configure a saved session for the final destination host as follows:

1. On the Session page, fill in the hostname and user name for the final destination host. Leave the password blank.
2. Check the “Advanced options” box in the login dialog.
3. Select the Connection –> Tunnel page.
4. Check the “Connect through SSH tunnel” box.
5. Fill in the Host name and user name of the intermediate host. Leave the password blank.
6. Save the session using the button in the lower right-hand corner of the window.

When you log in using the new profile, you will be prompted for two passwords. The first is for your account on the intermediate host, and the second is for your account on the final-destination host. After login, the bounce is entirely transparent and WinSCP works as if you had connected directly to the final-destination host. The connection process can be made even more transparent and secure by using public key authentication with Pageant instead of passwords.

Putty Config

The Putty setup is slightly more complicated and requires that public key authentication be used on the intermediate host. It utilizes Putty’s “local proxy” feature, which allows you to specify an arbitrary command on the local machine to act as a proxy. Instead of creating a TCP connection, PuTTY will communicate using the proxy program’s standard input and output streams. Our local proxy will be plink, which is a command-line ssh connection program included in the Putty default installation. Plink’s -nc option provides functionality similar to the ProxyCommand/netcat approach, but does so using the ssh server’s native port-forwarding interface and does not require that netcat be installed on the intermediate system. To set things up, configure a saved session for the final destination host:

1. Configure public key authentication for the intermediate host and make sure it works.
2. Start putty and on the “Session” page of the “Putty Configuration Dialog” that appears, fill in the host name and user name for the final destination host.
3. Switch to the Connection –> Proxy page, select “Local” as the proxy type enter the following as the local proxy command: plink.exe intermediate.proxy.host -l username -agent -nc %host:%port\n
4. Save the session.

Remember to replace “intermediate.proxy.host” with your intermediate hostname and “username” with your real username. “%host” and “%port” are variables that putty will feed to plink at connection time, so leave those as is. If all is working properly, when you log in using the new profile plink will handle the login to the intermediate system silently. Putty isn’t smart enough to prompt if the proxy command requires user input, so you’ll get a connection error if public key authentication on the intermediate host isn’t working. If you use password authentication on the final destination host you’ll be prompted for your password, or if you use pubkey authentication there as well you’ll land at a prompt with no fuss at all.

If you have trouble, make sure plink is executing properly. You may need to enter the full pathname, usually c:\program files\putty\plink.exe. You can also try executing the plink command from a prompt, remembering to substitute the %host and %port values of your final destination host. If it’s working properly, you’ll be logged into the intermediate system with your pageant-cached private key, and instead of a prompt you’ll be presented with the SSH banner for your final destination system.

First off, if you’re not already quite familiar public key authentication, go read the three part IBM developerWorks series on the topic (1, 2, 3), which is the best primer I’ve found. I’m using public key authentication with encrypted keys, am caching my credentials with ssh-agent, and am using keychain as my interface to ssh-agent. My primary goal was to automatically run keychain --clear to clear my credentials any time I left my system unattended. I also outline how to run keychain ~/.ssh/id_rsa when you return to your system (or whenever you open a shell) in order to reload your ssh key.

Login

When I log in to my system, keychain runs and does some housekeeping. It starts an ssh-agent process if one isn’t already running and prompts for the passwords to my ssh keys if they aren’t already loaded, or if all that has already been done it just reports its status and exits. The following lines can be placed in ~/.bash_profile which is executed when you log into your system (via remote ssh session, text console, and oddly enough gnome executes bash_profile on login as well).

if [ "$PS1" ]; then
/usr/bin/keychain ~/.ssh/id_rsa
source ~/.keychain/yourhostname-sh
fi

The “if” statement ensures that keychain is only run for interactive shells. Because keychain generates output on execution it can confuse some programs that run non-interactively, notably sftp breaks if you don’t do this.

New Shell

I actually like keychain to run every time I start a new shell, not just when I first log in. This means that I can clear my credentials manually if I won’t be using ssh for a while and when I open a fresh terminal window (or “window” in a screen session, or whatever) keychain automatically prompts me for my password. This can be done by placing the same lines from above in ~/.bashrc instead of bash_profile (bashrc is executed from bash_profile, so you only need one or the other).

Screensaver

When my screensaver turns on, it’s an indication that I’m away from my desk and that my credentials should be cleared. To my knowledge, gnome-screensaver does not provide per-user screensaver-on and screensaver-off scripts where you can easily add these sorts of things (it should, if you ask me). It does, however, emit a DBUS signal that you can listen for and act on. I found some folks using python scripts to handle similar needs and adapted them for my purpose, others have done similar things with bash script. Once you’ve customized your DBUS signal listener script, add it to your default gnome session using System –> Preferences –> Personal –> Sessions so that it’s automatically started when you log in.

#!/usr/bin/python
import dbus
from dbus.mainloop.glib import DBusGMainLoop
import gobject
import os
 
def clear_keychain(state):
"""Called when screensaver on/off events occur"""
 
# clear ssh keys when screensaver turns on
if state == True:
os.system('/usr/bin/keychain --clear')
 
# Load ssh keys when screensaver turns off
#     if state == False:
#          os.system('/usr/bin/keychain id_rsa')
 
# Connect to the gnome session bus:
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
bus = dbus.SessionBus()
 
# Listen for SessionIdleChanged signals
bus.add_signal_receiver(clear_keychain,'SessionIdleChanged','org.gnome.ScreenSaver')
loop = gobject.MainLoop()
loop.run()

Logout

Logging out of the system (whether from a remote ssh session, a local text console, or a graphical gnome session) is an indication that my workstation is going to be idle for a while and that my credentials should be cleared. This can be (mostly) accomplished by making an addition to ~/.bash_logout. This file is run any time a non-gnome login shell exits, like a remote ssh session or a local text console session (but not terminal windows in gnome, screen windows, or other non-login shells):

/usr/bin/keychain --clear

For some utterly insane reason, gnome doesn’t execute bash_logout even though it does execute bash_profile on login, and it doesn’t provide a sane alternative. The only method I’m aware of for running a script on gnome-logout involves xsession hackery, but I’ve punted on this issue since I rarely exit my gnome session. If you find an elegant solution, leave a comment.

Other SSH Tips

• SSH Aliases: This is somewhat off-topic for this article, but is such a great timesaver that it bears a quick mention in any article about ssh. You can define short names for hosts you ssh to often in ~/.ssh/config.
• Clearing Credentials At Login: An alternative to all of this, and one of the strategies suggested in the developerWorks series is to start keychain with the –clear option in .bash_profile or wherever you call it from. The assumption is that by clearing your credentials on login instead of logout, you can stay authenticated all the time (and gain the benefit of being able to run cron scripts) but an attacker will lose access to your credentials the moment they try to access your account. It’s an interesting strategy, but not one I’m entirely comfortable with. I prefer to clear my credentials when they’re not being used, and designate special-purpose keys with appropriate constraints for cron jobs.

Conclusion

With the tips in the developerWorks series, and the information in this article, you can have an incredibly convenient ssh key management setup while you’re using your computer and know that your credentials will be automatically cleared when you’re away from your system.

I’m incredibly excited about the move. Since my partner lives in New York, I’ve been job hunting there for almost a year and half and I’ve found that it’s a very competitive market. I needed to do a lot of professional development in order to be considered seriously for the positions I wanted, and this was the most interesting position I saw or applied for in my entire search. To have been hired into it just fantastic.

So anyhoo… I’ll be selling or giving away most of my stuff this month so Laura, Kip, and I can fit into an apartment the size of a shoebox. Have a gander if you need anything.

Determining Battery Health

There are several methods of determining your battery’s capacity relative to it’s initial specification (aka “health”).

• Press and hold the status button located on the bottom of your battery. The five LED lights will initially display your battery’s current charge (five lights is charged, zero lights is discharged), and if you continue pressing the status button for three seconds the lights will blink off and back on again, now displaying the health of your battery. If zero lights appear your battery is operating at greater than 80% of its specified capacity, if five lights appear your battery is operating at less than 60% of its specified capacity. This information was pulled from the D620 User Guide.
• If you enter the system BIOS by pressing “F2″ during the Dell logo while booting, there is a “Battery Health” option under the “Sytem” menu which gives a qualitative assessment of battery health.
• The power manager under FC6 tracks the maximum capacity of your battery at its last full charge and generates a health percentage based on the factory spec charge for your battery. To view this information, right-click the battery meter in your gnome panel, select “Information”, and expand the “More” area of the “Device Information” panel.
• If you kept your initial Windows XP install, there is a battery health meter under the Dell Quickset applet in the lower right hand corner of the screen that gives the same information that is available through the system BIOS.

Obtaining a Replacement Battery

Of course, you always have the option of purchasing a replacement battery from Dell (9-cell or 6-cell), or simply living with degraded battery life. There are some circumstances where you may be able to obtain a replacement under warranty, though. If the BIOS/Quickset health gauges are showing the battery as failed even though it’s less than a year old, Dell will replace it under warranty. According to the phone rep that I spoke to, a battery is considered to have failed when operating at less than 50% of its rated capacity. When I called, my battery was five months old and operating at 50%-60% of it’s capacity (5 death lights, BIOS noted lowered battery life but did not pronounce failure, FC6 power manager rated health at 56%, observed battery life was 50%-60% of expected). I was able to successfully make the case that the battery was clearly borderline and would certainly be replaced within a month or two, and that doing so now was an opportunity to provide excellent customer service whereas forcing me to wait would serve no purpose other than irritating me. To his credit, the phone rep immediately acknowledged that my line of thinking was reasonable, spoke to a supervisor, and was able to authorize the early replacement.

Conclusion

I love my laptop, and in general I’m very happy with it. It does look like there’s a trend toward premature battery failure, though, and if your situation is severe enough you may be eligible for a warranty replacement. Once your replacement arrives, go read about how to monitor and optimize battery performance.

FC6 works quite well on the D620 right out of the box, and with a few tweaks can be just about fully supported. This guide summarizes what I’ve done to get things working to my satisfaction. It is not a step by step howto, but does attempt to link to more detailed resources when they are available. The list below shows at a glance what is and isn’t working well on my system. Most items worked immediately after install without manual intervention, italic items were made fully functional after some manual configuration, and bold items have significant unsolved issues associated with them.

• Dual-core Processor: Both cores are detected on the 2.17GHz Intel Core Duo processor, the 32bit i686 smp kernel is installed and just works. Dynamic CPU frequency scaling works well and if you wish to monitor/change the scaling behavior there’s a gnome panel applet to do so.
• USB: Works, no config needed.
• PCMCIA Slot: Works, no config needed.
• Touchpad/Track Stick: Works, no config needed. Install gsynaptics from Extras if you want to customize the trackpad behavior, or copy/modify Dawid’s xorg.config settings (search for “touchpad”).
• Suspend to Ram: Works with kernel 2.6.18-1.2869, wireless networking needs to be restarted on wakeup and you need to nudge the volume control to wake up the soundcard.
• Hibernate to Disk: Doesn’t work, system hangs during hibernation and needs a hard reset. This worked in Fedora Core 5, so I imagine it will get fixed again relatively soon.
• Ethernet: Works, no config needed.
• Wireless Networking: Install dkms-ipw3945, ipw3945d and ipw3945-firmware from freshrpms, install the kernel-devel package for your kernel, and reboot. Once you’re configured, don’t forget to enable the network manager applet so you don’t have to iwconfig from the terminal all the time. The Intel 3945 has much better linux support than the awful Broadcom 4310 in the Dell Truemobile 1390 that was previously installed in this laptop.
• Bluetooth: Works, no config needed.
• 2D Video: Works, no config needed.
• 3D Acceleration: The NVidia Quadro 110M works well after installing nvidia-x11-drv from freshrpms. Don’t forget to install kernel-devel for your kernel version and reboot. Battery life drops by about 40% while running the NVidia driver, even if you’re not doing 3D work. I had a bad battery.
• External Monitor: If all you want is to switch to the external output instead of the internal LCD, you can do so easily right out of the box. Use the screen resolution control panel to set your resolution, and Fn-F8 to toggle between the displays. If you choose to install the NVidia driver, it includes a simple dialog for setting up multimonitor support using TwinView. TwinView isn’t perfect, windows maximize dumbly (across both displays) and if the resolutions of the two monitors are mismatched there’s an area where it’s possible to move the mouse and place windows that doesn’t show up in any monitor. All in all, it’s a bit lame but does get the job done in a pinch.
• CD/DVD Burning: Works out of the box, but this tweak substantially improves burn speed and system responsiveness while burning.
• Sound Playback: Works, no config needed.
• Sound Recording: Works, no config needed. If you’re not getting recorded sound, check the Volume Control app to make sure that capture is enabled and the recording level isn’t way down.
• Volume Keys: Go into System –> Preferences –> Keyboard shortcuts and assign the multimedia keys to vol down/up/mute (or whatever you want them to do).
• Radio On/Off Switch: Works fine, and has a noticeable effect on battery life. You may need to “up” the interface with the connection manager of your choice if you enable the radio while the system is running.
• ACPI Power Management: All the power management features work (fan speed autoadjusts, cpu frequency scaling works, there’s a gnome applet to easily control it), but battery life is inexplicably poor. Under FC5, my battery life was over 4 hours with a 9-cell battery, wifi/bt off, backlight dimmed, and cpu locked to 1GHz. After migrating to FC6, battery life is less than 3 hours and the laptop runs noticeably warmer when performing routine tasks. I had a bad battery.
• Fingerprint Reader: Untested.
• Modem:Untested.

Output of lspci

00:00.0 Host bridge: Intel Corporation Mobile 945GM/PM/GMS/940GML and 945GT Express Memory Controller Hub (rev 03)
00:01.0 PCI bridge: Intel Corporation Mobile 945GM/PM/GMS/940GML and 945GT Express PCI Express Root Port (rev 03)
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 01)
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 01)
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 01)
00:1c.2 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 (rev 01)
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #1 (rev 01)
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #2 (rev 01)
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #3 (rev 01)
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #4 (rev 01)
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 01)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e1)
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 01)
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) Serial ATA Storage Controller IDE (rev 01)
00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 01)
01:00.0 VGA compatible controller: nVidia Corporation Quadro NVS 110M / GeForce Go 7300 (rev a1)
03:01.0 CardBus bridge: O2 Micro, Inc. OZ601/6912/711E0 CardBus/SmartCardBus Controller (rev 40)
09:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express (rev 02)
0c:00.0 Network controller: Intel Corporation PRO/Wireless 3945ABG Network Connection (rev 02)

Useful Links

• Fedora Core 6 on the D620
• My previous guide to Fedora Core 5 on the D620
• Linux on Laptops page for Dells (search the page for 620)
• Debian on the D620
• Another guide to Fedora Core 5 on the D620

Although my study schedule was 4 months, my intensity level for the second and third month varied a lot. I also spent a lot of time doing cover-to-cover reading, which in retrospect isn’t a terribly efficient way to approach an exam with this much breadth. I kind of wish I had done more practice tests early in my study process so I could have spent more time on weak areas and less time agonizing over the subtleties of topics that I already fundamentally understood.

Most folks use a number of study resources, and I was no exception:

• I started with Shon Harris’ CISSP All in One Exam Guide. Like most Osbourne books, it’s a little bit chatty, has some laughably bad diagrams, and more than it’s share of ambiguities, errors, and bad practice questions. Even still it’s a pretty good book, especially if you need to bootstrap yourself a bit before you feel prepared for the more no-nonsense books.
• Once I felt comfortable with Harris, I started working through the Hansche/Berti/Hare Official (ISC)² Guide to the CISSP Exam, published by Auerbach. Although dry, I think it’s important to work with this book. Because of the strict confidentiality requirements surrounding the test it’s hard to get reliable information about which topics are emphasized, what the editorial style of the questions is like, and how to disambiguate words that may have a number of meanings depending on what part of the industry you work in but which are used in a specific and consistent way by (ISC)². I found that I simply absorbed a lot of useful information about the (ISC)² writing style when reading this book that gave me a tangible edge in the exam room. Plus it’s generally well done and has the best practice questions I was able to find. The worst thing I can say about it is that the CBK sections at the end of each chapter are fantastically vague, needlessly scary, and completely useless. They’re easy to ignore, though, and that’s what I recommend doing with them.
• Cccure.org is an excellent resource for free practice questions. Quality does vary, but at the high end is very good and on average is pretty ok.
• I also bought a set of Boson practice questions and was extremely disappointed, to the point of not even using most of them. Some of the highlights of my Boson experience were:
  1. A fill in the blank question with a nine word answer that needed to be typed exactly to be graded correctly. The answer was obviously not a standard phrase worth memorizing, and the CISSP exam is entirely multiple choice.
  2. A multiple-choice question that offered only one answer option… er… I mean… a single-choice question… or… um… would that just be a statement?
  3. An email conversation with a Boson support rep that took three rounds of explanation before understanding why a multiple-choice question with no alternate options is defective, and who offered to take no corrective action other than passing the complaint up the chain.
• I did a lot of Googling to fill in gaps on topics I wasn’t familiar with.

If you’re thinking of becoming a CISSP, have a look at the flash video introduction on cccure.org.

FC5 can be made to work fairly well on the D620, but many things require tweaking to work properly. This guide summarizes what can be made to work and how. It is not a step by step howto, but does attempt to link to more detailed resources when they are available. Most items worked without any manual configuration, those that required some tweaking to be fully functional are in italics, and issues that couldn’t be resolved are in bold. It’s worth noting that essentially all of my issues with the laptop stem from the use of a Broadcom wireless card, it’s a very well supported system when paired with the Intel wireless option.

• Dual-core Processor: Both cores are detected on the 2.17GHz Intel Core Duo processor, the 32bit i686 smp kernel is installed and just works.
• USB: Works, no config needed.
• PCMCIA Slot: Works, no config needed.
• Touchpad/Track Stick: Works, no config needed. Install gsynaptics from Extras if you want to customize the trackpad behavior.
• Suspend to Ram:Works after updating kernel to 2.6.18-1.2200.fc5smp.
• Suspend to Disk: Works after updating kernel to 2.6.18-1.2200.fc5smp.
• Ethernet: Works, no config needed.
• Wireless Networking: Works with ndiswrapper, but conflicts with 3D acceleration (see the 3D section for details). I accidentally purchased the Dell Truemobile 1390 wireless card option, which is based on the awful Broadcom BCM4310. You should order the Intel wireless option instead, but if you already have an icky Broadcom it can be made to work using ndiswrapper. Follow the standard installation instructions using the r115321.exe driver available from Dell. Once you’re configured, don’t forget to enable the network manager applet so you don’t have to iwconfig from the terminal all the time.
• 2D Video: The native display resolution is incorrectly detected, add the correct modeline to xorg.conf to fix (ignore the 915resolution stuff if you have an NVidia card like me). (Update 2010-10-18: The link with the modeline instructions is now dead)
• 3D Acceleration: The NVidia Quadro 110M works well after installing NVidia drivers from livna, but causes the Broadcom wireless card to stop working reliably. I’m not aware of a workaround other than to use the open source nv driver which doesn’t offer 3D acceleration (or to purchase the Intel wireless option, which doesn’t suffer from the issue). Track progress on the issue here and here.
• External Monitor: If you don’t use the NVidia driver, hooking up to the VGA out is painful. Changing to a standard (non-wide) resolution and back again requires editing xorg.conf (some update, not sure which, added the correct resolution to the screen-res dialog so changing resolutions isn’t that painful anymore), there’s no proper resolution scaling, and no graphical interface for configuring dual-head.
• CD/DVD Burning: Works out of the box, but this tweak substantially improves burn speed and system responsiveness while burning.
• Sound Playback: The audio drivers for the Intel High Definition Audio devices used in this system had problems in the initial release of FC5, but it should work fine after a yum update.
• Sound Recording: Works after updating. If you’re not getting recorded sound, look in the preferences for the Volume Control app, make sure that “capture” is enabled and the recording level isn’t way down.
• Volume Keys: Go into System –> Preferences –> Keyboard shortcuts and assign the multimedia keys to vol down/up/mute (or whatever you want them to do).
• Radio On/Off Switch: Works fine, and has a noticeable effect on battery life. You may need to “up” the interface with the connection manager of your choice if you enable the radio while the system is running.
• Fingerprint Reader: Untested.
• Bluetooth: Untested.
• Modem: Untested.
• ACPI Power Management: Auto fan speed and cpu frequency scaling work without configuration. Right-click the top gnome panel (the bar with the applications menu and the clock) and add the cpu frequency scaling monitor if you want some feedback and control over frequency scaling (which definitely affects battery life and laptop temperature during use).

Output of lspci

00:00.0 Host bridge: Intel Corporation Mobile Memory Controller Hub (rev 03)
00:01.0 PCI bridge: Intel Corporation Mobile PCI Express Graphics Port (rev 03)
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 01)
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 01)
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 01)
00:1c.2 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 (rev 01)
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #1 (rev 01)
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #2 (rev 01)
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #3 (rev 01)
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #4 (rev 01)
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 01)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e1)
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 01)
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) Serial ATA Storage Controllers cc=IDE (rev 01)
00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 01)
01:00.0 VGA compatible controller: nVidia Corporation Unknown device 01d7 (rev a1)
03:01.0 CardBus bridge: O2 Micro, Inc. OZ601/6912/711E0 CardBus/SmartCardBus Controller (rev 40)
09:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express (rev 02)
0c:00.0 Network controller: Broadcom Corporation BCM4310 UART (rev 01)

Useful Links

• Linux on Laptops page for Dells (search the page for 620)
• Debian on the D620
• Another guide to Fedora Core 5 on the D620
• My guide to Fedora Core 6 on the D620
• Another guide to Fedora Core 6 on the D620

• It was displayed in a group exhibit at the 2006 Venice Biennale.
• It was featured in September 2006 edition of Architecture magazine (one of four articles linked off this month’s homepage for the magazine). To highlight the student-run nature of the project, the magazine had the students write their own article and submit their own photos, which were taken by Laura. (Update 2010-10-18, the link for this article is now dead unfortunately.)
• Dwell Magazine published an article in June of 2007 (Update 2010-10-18, this link has also stopped working).
• Allegedly NBC planned some coverage, but I’m not sure if it was ever released. Let me know if you find it.
• The New York Times published an article in November of 2006.
• The American Institute of Architects awarded the project an AIA New York State Design Award in September of 2006.

For more information about the project, click through their flickr photo page. For more information about the Parsons Design Workshop in general have a look through the following links:

• 2005 Retrospective announcement
• Writeup of the 2005 project

• Comments now render properly in IE6. This is a moderately severe bug.
• Posts with complex HTML tags now display properly in the category archives.
• All theme variants are now validating again (thanks for the patch Brian).
• The comments link now correctly links to the comment form when a post has no existing comments.

By now, you know the drill: Download the one-column layout, the two-column layout, the new three-column layout, or the image sources (which haven’t changed since 0.10.0) in Gimp XCF format. Read the project page for the latest downloads and more information.

P.S. Sorry for the private post in a public forum, folks. I’m tracking down an old friend and don’t have conventional contact info yet.

Even with the September 11 attacks included in the count, the number of Americans killed by international terrorism since the late 1960s… is about the same as the number of Americans killed over the same period by lightning, accident-causing deer, or severe allergic reaction to peanuts.

This one compares airline terrorism to the risks associated with driving:

University of Michigan transportation researchers… determined there would have to be one set of September 11 crashes a month for [flying to be as risky as driving an equivalent distance].

So I say enough is enough. Forget about this terrorism baloney, what I want to know is what the government is doing to protect America from destruction by the new Triangle Of Terror: lightning, rogue-deer, and peanuts. Now please excuse me while I go buy some lotto tickets.

Please don’t download IE7, though. Seriously. Internet Explorer has been an anchor tied to the leg of the web design community for years. CSS3 support is just around the corner, and it’s going to start all over again with the hacks and the new features that are supported by every browser but IE. Firefox is great, Opera is great, Safari is great. There’s really only one wrong answer, so do your part to make the web a better place and switch today.

Anyway, all ranting and no downloading makes Jack a dull boy. Get the one-column layout, the two-column layout, the three-column layout, or the image sources in Gimp XCF format (which haven’t changed since 0.10.0). Read the project page for the latest downloads and more information.

• The much requested three column variant. I’d like to thank Soulpress.net for generously sponsoring the development of this feature.
• A completely revamped layout engine, based on the Octopus Engine from Dragon Labs. Now that WuCoco no longer relies on faux columns it’s much easier to adjust column-width, and I no longer have to maintain separate graphic assets for the different variants. As an added bonus, it’s possible to easily switch to independent column heights if you choose.

The new layout engine involves a lot of changes under the hood. It’s quite possible that rendering bugs have been introduced, so speak up if you find one. By now, you know the drill: Download the one-column layout, the two-column layout, the new three-column layout, or the image sources in Gimp XCF format. Read the project page for the latest downloads and more information.

The short is often and aptly compared Terry’s Gilliam’s animation for Monty Python’s Flying Circus and to anything by Tim Burton (WFMU says: “I’m sure they whip a stapler across the room every time someone goes ‘Tim Burton.’”), although it’s denser and more surreal than either (yes, more surreal than Tim Burton). The most apt comparison I can make is to the little known work of Patrick Woodroffe. I first encountered Patrick’s drawings when I was a child through the very collectible The Second Earth: The Pentateuch Retold, which confused and intrigued me with it’s simple but striking story and fantastically detailed imagery.

There’s not currently a lot of information about the Blackheart Gang on the web, but Motionographer does have an informative writeup including links to two additional BHG audio files that I haven’t seen posted elsewhere. Update 5/7/07: Siouxwire has an interview with the Blackheart Gang.

Via WFMU’s Beware of the Blog (Update 2010-10-18: The original story at WFMU has disappeared, linking to their front-page instead).

• Clean archives (Update: website for the clean archives plugin has disappeared) has been integrated to provide an information rich and inviting view of your post history. No fussing with plugins required.
• Author comments are now highlighted to stand out.
• The two-column layout is widget friendly.
• A bug that was causing the comment form border to occasionally render incorrectly has been fixed.
• Post margins have been made robust (previously many seldom used tags rendered without a margin)
• The stylesheets have been reworked to be ease future development.

Download the one-column layout, the two-column layout, or the image sources in Gimp XCF format. Read the project page for the latest downloads and more information.

Update 7/18: This version is also known as 0.5.0.

I took about 30 hours over two weeks to self-study, much of it spent reading the Osborne book, which I was fairly disappointed with. Although I did learn something useful from most of the chapters in the book, it’s badly edited. Technical terms are routinely misused, and many of the sample test questions are worded poorly enough to cause confusion even if you understand the material. If I had it to do over again, I might try the Sybex book in hopes that it was better.

Although there’s some basic conceptual knowledge required to pass the test, a good deal of it is fact recall. I made up a set of flashcards that I used to memorize the requisite bits. Download the flashcards in both granule deck format (granule is a gem, by the way… especially on the Nokia 770) and colon-delimited text format. If you use/improve them, please send me the updates and I’ll make them available here.

Download the one-column layout, the two-column layout, or the image sources in Gimp XCF format. Read the project page for the latest downloads and more information.

I’m not clear if this is a permanent web fixture or temporary art installation. It was incorporated into a recent graduate thesis in fine art at Cornell University. But it’s not obvious to me if it’s aiming to create a pop-culture brand to market and financially support the artist’s work, or if it’s an ironic critique of consumerism. Maybe it’s both. Anyway, act fast if you want to consume their products… supplies are limited!

Even though there have been no tangible repercussions from the incident with ICDSoft, the experience has made it clear to me that my actions can reflect on and impact other members of the lococo.org community in unintended ways. Migrating my content into its own namespace will channel future feedback directly to me and prevent possible confusion about whose opinion is being represented.

ICDSoft isn’t giving me $200 to shill for their hosting services but they are paying ten other lucky folks, according an announcement sent to customers on 3/8/2006 via the news section of their hosting control panel (bold sections are my emphasis):

March 8th, 2006 | A “Thank You” to our loyal customers!

Over the past few years, ICDSoft has grown steadily to reach more than 70,000 domains hosted. We fully recognize that a big part of our success is the words of recommendation sent out by our existing customers to other potential clients all over the world. We realize that these recommendations are the best advertisement we could ever have. For this reason, we have decided to extend our gratitude to our customers by rewarding the best reviews of our hosting services.

Such an undertaking was not an easy task however. We started out by seeking and collecting all the reviews of our services that have been posted over the years. An ever bigger challenge was deciding which were the best. All reviews were assessed with several factors in mind: the objectivity of the information provided, the writing style, the popularity of the web site it is posted on, and others. After a great deal of analysis, we have chosen to reward each of the following reviews with $200:

1. http://www.webhostingtalk.com/showthread.php?t=473518
2. http://www.DiabeticMommy.com/hosting.htm
3. http://www.besthostratings.com/web-hosting/reviews/icdsoft-Reviews.html#hostreview3905
4. http://www.amazon.com/exec/obidos/tg/detail/-/B00006EN7N/104-1375399-3445510?v=glance (link dead)
5. http://www.besthostratings.com/web-hosting/reviews/icdsoft-Reviews3.html#hostreview3365
6. http://www.besthostratings.com/web-hosting/reviews/icdsoft-Reviews3.html#hostreview3276
7. http://wordpress.org/support/topic/20562#post-177232
8. http://www.besthostratings.com/web-hosting/reviews/icdsoft-Reviews3.html#hostreview3277
9. http://webhostingtalk.com/showthread.php?t=475347
10. http://www.webhostingtalk.com/showthread.php?threadid=345718
    (http://www.webhostingtalk.com/showpost.php?p=2656502)

It is important to note that we found many other fantastic reviews, but could not reward them because the domain name of the poster was not provided in the review. We are also sure that there were many reviews out there that we simply could not find. If you have posted a review about our services, you can tell us about it through the “Submit a review” link on the left pane of your hosting Control panel.

We are planning to express our gratitude in a similar fashion in the future as well. Thank you once again for your support!

ICDSoft Team

They don’t explicitly state that they’re paying for positive reviews, but if you follow the listed links it’s clear that they’re not paying for negative ones. You’ve got to wonder if this is the first time they’ve done this, or just the first time they’ve made an official announcement about it. This site is hosted on icdsoft (so if it disappears next week you’ll know why), and they actually are a pretty decent value-oriented host. It almost seems odd that they would need to resort to astroturfing, but increasingly I find that no amount of moral turpitude will surprise me.

Download the one-column layout, the two-column layout, or the image sources in Gimp XCF format. Otherwise, head over to the project page for the latest downloads and more info.

I’ve also enabled comments again. I turned them off almost immediately after starting the site when I had blog spam problems, but it has become increasingly clear to me that this site exists primarily in order to solicit feedback and it does a poor job of that with comments disabled.

If anyone finds the theme interesting, I’ve packaged it up to make it easy to use with WordPress 2.x. To install, download wuhan_lococo-0.4.1.zip, unzip, upload into /wp-content/themes/, and select it as your default theme in the wp-admin interface. If you’re new to using themes in WordPress, check out the official theme documentation or leave a question in the comments.

Update, 4/25/05: There’s now a project page for the theme at http://mikelococo.com/projects/wucoco where you can find more information as well as downloads for the latest packaged version.

I was recently contacted by a childhood friend whom I remember fondly for his Butthead impressions. He’s the first friend or foe to find me through my website, although I suspect he won’t be the last. Lately I’ve had an increasing number of where-are-they-now conversations, even with friends who typically don’t care where “they” ended up. I think we may be hitting the age when that sort of thing becomes common.

Anyway if you’ve wondered about where Sean/Christopher/Jonathan Fallon or Paul/Jeff Chenkus are now, check out their tech news blog at nerdapproved.com.

The short of it is that Canon is offering to repair affected cameras at no charge regardless of warranty status. Call them up, mention the service notice and that you’d like a free CCD evaluation. They’ll ask you to go through some troubleshooting steps and if it looks like you have a bad CCD they’ll fix it for free (even covering shipping costs in both directions, which never happens).

I’m very impressed with how Canon has handled this. I experienced short hold times, and got no hassle from the phone techs. I was assured that the evaluation and shipping would be free even if the factory techs found that my camera’s problem wasn’t covered by the service notice, so I didn’t feel nervous about sending it in at all. It took about two weeks to get my camera back in good repair, and I think they fixed a slight mechanical problem with the lens cover for free as well. It’s great when a company takes a bad situation like this and turns it into an opportunity to provide great customer service. Kudos to Canon.

Anyway, now I have an extra camera. I think that the A70 will be handed down to Fio, so he can continue to develop his film portfolio.

In the meantime, we’ll close his epoch on the site with some links about Dubai (via BoingBoing). If Walt Disney were alive today, he’d build a brothel there (we’ve had numerous visitors stumble upon this very site searching for prostitutes in Dubai). Home of the new New Urbanism, and (formerly) the biggest bowl of spaghetti, Dubai is where the end begins.

Things will be shifting around in the next couple weeks as I do some house cleaning and make the technical changes necessary to support more writers. If this experiment is successful, we may gather more interested folk in exactly the way that a rolling stone fails to gather moss.

Keep your eyes peeled…

This weekend I caught the bug to solve it and see if I’m smart enough to work at Google. Apparently I’m not, because I ended up cheating when I checked my initial (and I thought correct) solution against what others had found. By the time I realized I had made a mistake, I also realized what I needed to do to correct it. I did independently fix my code (as evidenced by its extreme ugliness). Download it, smack it up, flip it, rub it down, oh no.

My Canon A70 digital camera gave up the ghost after a year a half. Luckily, the folks servicing my Staples extended warranty came through and cut me a check for the purchase price of the camera, after determining that the repair was too expensive to bother with.

Update 9/2/05: It’s worth mentioning that Staples was more of a pain than I first thought to deal with. They originally sent me a Staples gift card (after telling me I would get a check, and which arrived after I had already bought my new camera at Best Buy), and it took me over 2 months of frequent follow-up calls to get my check.

This put me in the market for another camera. I wanted something with a longer zoom. I was always trying to shoot things with the A70 that were too small or too far away to frame properly with the 3x lens. I eventually decided on another Canon, the Powershot S1 IS, which has a 10x zoom (equivalent to a 38mm-380mm lens on a traditional SLR camera). It’s only 3.2 megapixels, but since I rarely print photos I have never felt limited by resolution. After using it for a few days, I find that I enjoy using this camera much more than my last one. In addition to the big zoom, it has several features that make it fun to shoot with:

• Good Controls: Almost everything I do while shooting can be done in one or two button presses without taking my eye off the “action”. I almost never need to use a menu when setting up a shot.
• Electronic Viewfinder: The badness of the A70 viewfinder defies description. I never ever used it, no matter how much I had to squint to see the LCD screen in the sun. The viewfinder in the S1 IS is nice, I like it better than the LCD most of the time.
• Focus Zoom: While adjusting the manual focus, a zoom view automatically pops up so you can see what you’re doing. This combined with the well designed controls make manual focus a worthwhile alternative when the auto focus has trouble (which it sometimes does in very flat scenes or in low light).
• Sleep Mode: The camera optionally switches into a low power mode after a short period of inactivity, and it can wake up again in less than a second.
• Intervalometer: The camera can shoot unattended at regular intervals. Most people wouldn’t care about this, but I think it’s great and I use it all the time.
• Image Stabilization: This feature is supposed to smooth out the natural movement of your hand, allowing you to shoot longer exposures than you would otherwise be able to without blurring the image. I expected that it would work so poorly as to be worthless, but I’ve been pleasantly surprised. I hate flashes, and the IS has allowed me to get halfway decent shots using available light in situations where I would otherwise end up with a blurry mess. My most amusing IS shot to date is a 1 second handheld exposure that looks soft but not sloppy.

I did briefly consider getting a 5 megapixel superzoom. I even went so far as to purchase a Kodak DX7590 on impulse because it was 5 megapixels and had a big, beautiful LCD display. I ended up returning it unopened after reading that it has substandard image quality and long write delays. There are some recently released 5mp superzooms that are supposed to be very nice, but they are also substantially more expensive than the S1 IS, so at least for now I’m not second guessing my choice.

Update: CNN seems to have taken down their writeup, so I removed the link.

It’s true that the results are pretty distressing, the students did atrociously on the fact-based questions in the survey. A disturbing percentage of them also seemed willing to accept moderate or even severe limitations on freedoms of speech and press. They didn’t fare too much worse than faculty and administrators at their schools, though, and it’s hard to imagine how students could have done well given the knowledge of those responsible for their education. The poor performance of teachers was downplayed in articles about the study and is not mentioned at all in the key findings of the study itself.

• Nearly half of the teachers surveyed don’t feel that musicians should be allowed to sing songs with lyrics that might be offensive to some. Younger generations are a little more liberal, less than a third of the students felt similarly.
• One out of five teachers aren’t sure that newspapers should be allowed to publish stories without government approval, but surprisingly almost half of the students feel the same way. Perhaps it’s only a coincidence that most high school faculty and principals feel that student papers should require the approval of school authorities.
• Three quarters of the students surveyed incorrectly believe that it’s illegal to burn a flag in political protest. One third of the teachers are under the same misconception, and apparently they’re doing a fantastic job getting through to their students on that issue.
• Half of the students incorrectly believe that the government can restrict indecent content on the internet. Faculty and principals don’t know, either… also evenly split. It’s a funny question, though. The government absolutely does regulate content on the internet. There are currently existing federal statutes restricting the distribution of obscene material and child pornography. A 1997 Supreme Court ruling did narrow the scope of material restricted by the Communications Decency Act by allowing publication of “indecent” material, leaving in place restrictions on “obscene” material… but it seems a little dishonest to write a survey question directed at high-school students whose correct interpretation depends on the definition of a word that had its meaning disputed all the way to the Supreme Court.
• More than half of faculty and principals surveyed think they’re doing a good job teaching about first amendment freedoms.
• 2% of faculty aren’t certain what the highest level of education they received was. Kudos to the survey team for anticipating the need for a “Don’t know” option on that question.

The survey, partially funded by the Knight Foundation, didn’t explore non-governmental impediments to free information flow, such as consolidated media markets.

It kind of looks like it was stuck to the window by a three year old, but it brings me great joy nonetheless. Go play on the Internet Anagram Server, or read some of my other favorites:

• cruellest ivory inn
• nor ivy slut recline
• recently loin virus
• cleverly i iron nuts
• cleverly i ruin snot
• run evilly snort ice
• i run celery in volts
• yon vertices run ill
• vinyl silencer tour

Filesize: ~3.4M
License: all rights reserved

This is another automated art project and a bit of a work in progress. Some time ago I wrote an FXScript for Final Cut Pro 3.0 that edited a movie to run forward and backward, interleaving the frames instead of compositing them. This is the test video I used as I was writing the script, you can still see (but not read in this heavily compressed version) the variables I was tracking on-screen while I debugged.

Someday I hope to revisit this project on a less awkward programming platform. FXScript was difficult to do automated editing with because it assumed (as of FCP3, anyway) a linear flow through the video material. I’m still on the lookout for a good high-level way to automate video editing. Quicktime Pro might do what I want in combination with Applescript or Perl/PerlMagick, but I haven’t investigated deeply yet.

I’m not providing the FXScript I used to create this, only because I think there are better ways. Contact me if you really want a copy.

As much as wish I had, I did not think of the word intertwingle.

Update 3/20/06: Since a few hundred folks a month seem to be finding this site searching for information about mohawks, a short update is in order. I used Rave #4 (aka mega) hairspray to hold the spikes, which is cheap and works well. Elmer’s or spraypaint will get you more cred, but it’s unlikely that someone searching for hair advice on the internet is going to last very long with folks that spike with spraypaint under any circumstances. For that reason, I recommend sticking with something you won’t have to shave out until you have your sea-legs. The process of styling isn’t rocket science, but it does take a long time while you’re figuring it out and you really want a blowdryer. The tall spikes take a few layers of spray to stand up right and waiting for half a can of hairspray to air dry is not really an option.

p.s. I’ll send a surprise gift to the first person who can figure out what the sign I’m holding is about.

Update 5/13/06: The prize has been collected. The photo is a reference to Johnny Cash’s drug arrest while crossing the Mexican border in 1965. Although Cash doesn’t have a Mohawk in his mugshot, he was punk before hairspray was king.

study_in_gray_3x2

The recent proliferation of high level computer programming languages has made it possible for non-expert users to write interesting programs without getting bogged down in technical specifics. In particular, the availability of libraries and API’s that provide high-level, user-oriented data primitives like pixels and video frames are very interesting because they allow users to approach visual tasks without having to understand how the computer internally represents visual data.

This series of images was born out of an interest in the repetition of very simple actions on an inhuman scale, and as a study in the nature of discrete verus continuous media. A 3-panel by 3-panel digital print measuring about 2 1/2′ square was displayed as the only ugly and conceptual work in the 2004 staff art show at Cornell University.

The script used to generate the images is GPL’ed. It should run on any system with Perl and PerlMagick available. The images in the study_in_gray series are released into the public domain.