From bdoob at acm.org Mon Feb 1 22:58:18 2010 From: bdoob at acm.org (Brian Doob) Date: Mon, 1 Feb 2010 22:58:18 -0600 Subject: [RndTbl] Debian doesn't see all RAM in a VM Message-ID: <94E0B486-25EC-4F15-9D4C-792BBF338556@acm.org> I installed Debian Sarge (with 2.4.x kernel) on VMware ESXi in a virtual machine with 2GB RAM. It looks like Linux only sees 900MB of memory (according to top, vmstat and /proc/meminfo). Does anyone know why this would be happening and how I can fix it? Do I need to compile different options into the kernel? Thanks. -Brian From sean at tinfoilhat.ca Mon Feb 1 23:08:28 2010 From: sean at tinfoilhat.ca (Sean Cody) Date: Mon, 1 Feb 2010 21:08:28 -0800 Subject: [RndTbl] Debian doesn't see all RAM in a VM In-Reply-To: <94E0B486-25EC-4F15-9D4C-792BBF338556@acm.org> References: <94E0B486-25EC-4F15-9D4C-792BBF338556@acm.org> Message-ID: <7AFA0B3F-102D-4FC6-8DFF-C680EAC02EA0@tinfoilhat.ca> Can you post a dmesg? That would help lots. I'm assuming the machine's POST mem test gets to 2048 right? 4GB has issues on some architectures (memory hole due to address space layout) but 2GB sounds odd and I would need more detail to even guess. On 2010-02-01, at 8:58 PM, Brian Doob wrote: > I installed Debian Sarge (with 2.4.x kernel) on VMware ESXi in a > virtual machine with 2GB RAM. It looks like Linux only sees 900MB of > memory (according to top, vmstat and /proc/meminfo). Does anyone know > why this would be happening and how I can fix it? Do I need to compile > different options into the kernel? Thanks. > > -Brian > > _______________________________________________ > Roundtable mailing list > Roundtable at muug.mb.ca > http://www.muug.mb.ca/mailman/listinfo/roundtable -- Sean From athompso at muug.mb.ca Mon Feb 1 23:17:10 2010 From: athompso at muug.mb.ca (Adam Thompson) Date: Mon, 01 Feb 2010 23:17:10 -0600 Subject: [RndTbl] Debian doesn't see all RAM in a VM In-Reply-To: <7AFA0B3F-102D-4FC6-8DFF-C680EAC02EA0@tinfoilhat.ca> References: <94E0B486-25EC-4F15-9D4C-792BBF338556@acm.org> <7AFA0B3F-102D-4FC6-8DFF-C680EAC02EA0@tinfoilhat.ca> Message-ID: <4B67B556.2000805@muug.mb.ca> On 2010-Feb-01 23:08, Sean Cody wrote: > Can you post a dmesg? > That would help lots. > > I'm assuming the machine's POST mem test gets to 2048 right? > > 4GB has issues on some architectures (memory hole due to address space layout) but 2GB sounds odd and I would need more detail to even guess. Agreeing completely with Sean here - and 900Mb is just plain a very strange number that makes even less sense than 1024Mb. In addition to dmesg(1) output, the dmidecode(8) tool can tell you what the SMBIOS has emulated in this particular VM; limit the output to memory modules by select DMI Type 17, i.e. "dmidecode -t17" Obviously the output doesn't relate to real physical sockets, but the SMBIOS (aka the DMI table) should still report consistent information. For that matter, I wouldn't mind seeing the full dmidecode(8) output from an ESXi VM - never occurred to me to look and I don't have access to an ESXi system anymore. -Adam From athompso at muug.mb.ca Mon Feb 1 23:18:29 2010 From: athompso at muug.mb.ca (Adam Thompson) Date: Mon, 01 Feb 2010 23:18:29 -0600 Subject: [RndTbl] Debian doesn't see all RAM in a VM In-Reply-To: <4B67B556.2000805@muug.mb.ca> References: <94E0B486-25EC-4F15-9D4C-792BBF338556@acm.org> <7AFA0B3F-102D-4FC6-8DFF-C680EAC02EA0@tinfoilhat.ca> <4B67B556.2000805@muug.mb.ca> Message-ID: <4B67B5A5.6080605@muug.mb.ca> On 2010-Feb-01 23:17, Adam Thompson wrote: > memory modules by select DMI Type 17, i.e. "dmidecode -t17" My bad. There are four different DMI types for memory; they can all be selected simultaneously by using the mnemonic instead: "dmidecode -t memory". -Adam From sean at tinfoilhat.ca Tue Feb 2 00:23:54 2010 From: sean at tinfoilhat.ca (Sean Cody) Date: Mon, 1 Feb 2010 22:23:54 -0800 Subject: [RndTbl] Debian doesn't see all RAM in a VM In-Reply-To: <4B67B556.2000805@muug.mb.ca> References: <94E0B486-25EC-4F15-9D4C-792BBF338556@acm.org> <7AFA0B3F-102D-4FC6-8DFF-C680EAC02EA0@tinfoilhat.ca> <4B67B556.2000805@muug.mb.ca> Message-ID: Shared video memory off alignment could make sense here but it is a radically weird number. Video memory is the only hardware I've seen that would share RAM. Everything else I've seen in my limited experience has been using memory via memory mapped address space for DMA, nothing explicitly communicating via RAM itself. On 2010-02-01, at 9:17 PM, Adam Thompson wrote: > Agreeing completely with Sean here - and 900Mb is just plain a very strange number that makes even less sense than 1024Mb. -- Sean From athompso at athompso.net Tue Feb 2 00:29:23 2010 From: athompso at athompso.net (Adam Thompson) Date: Tue, 2 Feb 2010 06:29:23 +0000 Subject: [RndTbl] Debian doesn't see all RAM in a VM Message-ID: <374637386-1265092137-cardhu_decombobulator_blackberry.rim.net-1041423637-@bda464.bisx.prod.on.blackberry> Good idea, but that doesn't fly in an ESX VM. I think the default emulation is of an S3-type PCI video card, and video memory is allocated from the host and presented discontiguously to the guest - just like a real S3 card. I don't think ESXi (this is v3 or v3.1, right???) supports memory "ballooning", or that could have explained it. Hmm. Eagerly awaiting more details... ------Original Message------ From: Cody, Sean Sender: roundtable-bounces at muug.mb.ca To: Roundtable, MUUG Subject: Re: [RndTbl] Debian doesn't see all RAM in a VM Sent: Feb 2, 2010 00:23 Shared video memory off alignment could make sense here but it is a radically weird number. Video memory is the only hardware I've seen that would share RAM. Everything else I've seen in my limited experience has been using memory via memory mapped address space for DMA, nothing explicitly communicating via RAM itself. On 2010-02-01, at 9:17 PM, Adam Thompson wrote: > Agreeing completely with Sean here - and 900Mb is just plain a very strange number that makes even less sense than 1024Mb. -- Sean _______________________________________________ Roundtable mailing list Roundtable at muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable From gedetil at cs.umanitoba.ca Tue Feb 2 10:06:22 2010 From: gedetil at cs.umanitoba.ca (Gilbert E. Detillieux) Date: Tue, 2 Feb 2010 10:06:22 -0600 (CST) Subject: [RndTbl] MUUG Meeting, February 9, 7:30pm -- Disk Imaging Message-ID: <201002021606.o12G6MM27731@iron.cs.umanitoba.ca> The Manitoba UNIX User Group (MUUG) will be holding its next monthly meeting on Tuesday, February 9. The meeting topic for this month is as follows: Disk Imaging Adam Thompson will be covering disk imaging: who, what, why, where, when. Maybe even "how" if there's time! The presentation is expected to focus on the use of Partimage and related tools. Before the break, as this month's RTFM topic, Sean Cody will deliver a remote, live presentation on a topic yet to be determined. The group holds its general meetings at 7:30pm on the second Tuesday of every month from September to June. (There are no meetings in July and August.) Meetings are open to the general public; you don't have to be a MUUG member to attend. ********************************************************************** Please note our meeting location: The IBM offices, at 400 Ellice Ave. (between Edmonton and Kennedy). When you arrive, you will have to sign in at the reception desk, and then wait for someone to take you (in groups) to the meeting room. Please try to arrive by about 7:15pm, so the meeting can start promptly at 7:30pm. Don't be late, or you may not get in. (But don't come too early either, since security may not be there to let you in before 7:15 or so.) Non-members may be required to show photo ID at the security desk. Limited parking is available for free on the street, either on Ellice Ave. or on some of the intersecting streets. Indoor parking is also available nearby, at Portage Place, for $5.00 for the evening. Bicycle parking is available in a bike rack under video surveillance located behind the building on Webb Place. ********************************************************************** For more information about MUUG, and its monthly meetings, check out their Web server: http://www.muug.mb.ca/ Help us promote this month's meeting, by putting this poster up on your workplace bulletin board or other suitable public message board: http://www.muug.mb.ca/meetings/MUUGmeeting.pdf -- Gilbert E. Detillieux E-mail: Manitoba UNIX User Group Web: http://www.muug.mb.ca/ PO Box 130 St-Boniface Phone: (204)474-8161 Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609 From sean.cody at primefocusworld.com Tue Feb 2 09:53:56 2010 From: sean.cody at primefocusworld.com (Sean Cody) Date: Tue, 2 Feb 2010 07:53:56 -0800 Subject: [RndTbl] Debian Memory on a VM In-Reply-To: References: Message-ID: <2DBAB61D-CAE9-42BD-AC0F-A516EA3FB5CB@primefocusworld.com> Can you send me the VMX file for the VM? I would try setting VM to 512 and go to 4GB and see where the upper limit is meaning there is some kind resource pooling limit in ESX... The idea came from here: http://www.van-lieshout.com/2009/04/esx-memory-management-part-1/ On 2010-02-02, at 7:46 AM, Doob,Brian [Wpg] wrote: > I don't have access to my home email at work, so I'm bypassing the MUUG Roundtable for the moment.... My server is a Dell R710 with 24GB RAM running VMware ESXi 4.0. The guest VM has 2GB RAM, and the guest BIOS sees the full 2GB. Debian Sarge only sees 927129600 bytes. This is /proc/meminfo: > > total: used: free: shared: buffers: cached: > Mem: 927129600 281206784 645922816 0 63918080 109105152 > Swap: 2780102656 0 2780102656 > MemTotal: 905400 kB > MemFree: 630784 kB > MemShared: 0 kB > Buffers: 62420 kB > Cached: 106548 kB > SwapCached: 0 kB > Active: 103484 kB > Inactive: 102972 kB > HighTotal: 0 kB > HighFree: 0 kB > LowTotal: 905400 kB > LowFree: 630784 kB > SwapTotal: 2714944 kB > SwapFree: 2714944 kB > > I'm attaching output from dmesg and dmidecode (no "-t" option was available). I think the "905MB" was from top, but I was quoting from memory. The system is running kernel 2.4.27-3-386. I really appreciate your willingness to look into this. Thanks! > > Brian Doob > MSC Regional Operations Division | MSC op?rations r?gionales > Infrastructure Operations Directorate | Direction g?n?rale des op?rations de l'infrastructure > Chief Information Officer Branch | Direction g?n?rale du dirigeant principal de l'information > Environment Canada | Environnement Canada > 123 Main Street, Suite 150 | 123, rue Main, pi?ce 150 > Winnipeg (Manitoba) R3C 4W2 > brian.doob at ec.gc.ca > Telephone | T?l?phone 204-983-8495 > Facsimile | T?l?copieur 204-983-0109 > Government of Canada | Gouvernement du Canada > Website | Site Web www.ec.gc.ca > -- Sean From athompso at athompso.net Thu Feb 4 03:20:29 2010 From: athompso at athompso.net (Adam Thompson) Date: Thu, 04 Feb 2010 03:20:29 -0600 Subject: [RndTbl] [OT] looking for recommendation Message-ID: <4B6A915D.4080007@athompso.net> Yes, this is off-topic and has nothing to do with UNIX... you've been warned and can stop reading now if that bothers you. I'm looking for recommendations for a bookkeeper, or something like that: someone who can keep track of all the bits of paper I generate (esp. in the course of self-employment) and do something more meaningful with them than just shoving them into a (metaphorical) shoebox. It'd be nice if they had a clue about taxes, CPP deductions, that sort of thing, but not necessary - that's what an accountant is for, ultimately. So... if you know anyone who might fit the bill, either pass their name on to me, or pass my name on to them. Thank you for your patience, we now resume our regular programming. -Adam Thompson (204) 291-7950 From gedetil at cs.umanitoba.ca Mon Feb 8 10:04:15 2010 From: gedetil at cs.umanitoba.ca (Gilbert E. Detillieux) Date: Mon, 08 Feb 2010 10:04:15 -0600 Subject: [RndTbl] Shaw dropping on greylist? In-Reply-To: <20100206185943.5bd3d34a@pog.tecnopolis.ca> References: <20100129005647.GA11356@pog.tecnopolis.ca> <4B6321D3.9020306@cs.umanitoba.ca> <20100206185943.5bd3d34a@pog.tecnopolis.ca> Message-ID: <4B7035FF.2080205@cs.umanitoba.ca> On 2010-02-06 18:59, roundtable at muug.mb.ca wrote: > On 2010-01-29 Gilbert E. Detillieux wrote: >> In any case, there are a lot of "legit" mail servers out there that >> don't seem to handle greylisting well, which is why the default >> configuration with milter-greylist comes with a whole list of "broken >> mta" address ranges to whitelist. > > Right, using that broken list, but there is no self-updating. Anyone > care to share their broken mta list? What's the range you're using for > gmail? This is the only "broken mta" range we've had to add to date... 209.85.208.0/20 \ # google.com (gmail.com MTA range?) -- Gilbert E. Detillieux E-mail: Manitoba UNIX User Group Web: http://www.muug.mb.ca/ PO Box 130 St-Boniface Phone: (204)474-8161 Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609 From kevin.a.mcgregor at gmail.com Mon Feb 8 17:50:39 2010 From: kevin.a.mcgregor at gmail.com (Kevin McGregor) Date: Mon, 8 Feb 2010 17:50:39 -0600 Subject: [RndTbl] RAID on Ubuntu Message-ID: <6756caf11002081550hec1d523x6221a9d4609a7743@mail.gmail.com> Here's my current hardware: AMD Athlon 64 X2 4 GB RAM 120 GB IDE 3 x 750 SATA What I'd like to do (please don't ask why) is install Ubuntu 9.10 on the 120 GB IDE, then set up a RAID 10 array with the remaining drives. Stop right there! Yes, I know I'd need four drives for that. So, I want to know if I can either set up two drives as RAID 0 or RAID 1, then later add a fourth drive and without data loss, migrate over to RAID 10. Or set it up as RAID 10 initially with a "failed" (missing) fourth drive, then add the drive later and "repair" the RAID 10 array. Any hope? Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100208/48545f11/attachment.html From robert at cluenet.org Mon Feb 8 18:52:17 2010 From: robert at cluenet.org (Robert Keizer) Date: Mon, 08 Feb 2010 18:52:17 -0600 Subject: [RndTbl] RAID on Ubuntu In-Reply-To: <6756caf11002081550hec1d523x6221a9d4609a7743@mail.gmail.com> References: <6756caf11002081550hec1d523x6221a9d4609a7743@mail.gmail.com> Message-ID: <4B70B1C1.7020902@cluenet.org> Kevin McGregor wrote: > Here's my current hardware: > AMD Athlon 64 X2 > 4 GB RAM > 120 GB IDE > 3 x 750 SATA > > What I'd like to do (please don't ask why) is install Ubuntu 9.10 on > the 120 GB IDE, then set up a RAID 10 array with the remaining drives. > Stop right there! Yes, I know I'd need four drives for that. So, I > want to know if I can either set up two drives as RAID 0 or RAID 1, > then later add a fourth drive and without data loss, migrate over to > RAID 10. Or set it up as RAID 10 initially with a "failed" (missing) > fourth drive, then add the drive later and "repair" the RAID 10 array. > > Any hope? > > Kevin I don't think what your looking to do is possible..I would just go with raid 5 on the 3 750gb drives.. Robert From athompso at athompso.net Mon Feb 8 19:10:14 2010 From: athompso at athompso.net (Adam Thompson) Date: Tue, 9 Feb 2010 01:10:14 +0000 Subject: [RndTbl] RAID on Ubuntu In-Reply-To: <6756caf11002081550hec1d523x6221a9d4609a7743@mail.gmail.com> References: <6756caf11002081550hec1d523x6221a9d4609a7743@mail.gmail.com> Message-ID: <2135151455-1265677802-cardhu_decombobulator_blackberry.rim.net-1146298520-@bda464.bisx.prod.on.blackberry> Yes, if you use mdadm at the command-line to create the array. Assume the existence of four drives, plan your RAID layout accordingly, then when comes time to run the mdadm --create command, substitute the keyword "missing" for "/dev/sdX". If you're using LVM or device-mapper, then this method won't work. You can even build a RAID-5 array on two drives this way (but it's as slow as running in degraded mode - because it *is* in degraded mode). In your place, if the SATA ports in the system are bootable, I would sacrifice 100Mb from each of the 750Gb drives as a "/boot" partition - RAID-1 x 4, then set up the rest of the drives as the root FS. You'll see a *dramatic* speed gain over the single 120Gb IDE drive that way. -Adam -----Original Message----- From: Kevin McGregor Date: Mon, 8 Feb 2010 17:50:39 To: MUUG Roundtable Subject: [RndTbl] RAID on Ubuntu _______________________________________________ Roundtable mailing list Roundtable at muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable From montanaq at gmail.com Tue Feb 16 12:38:11 2010 From: montanaq at gmail.com (Montana Quiring) Date: Tue, 16 Feb 2010 12:38:11 -0600 Subject: [RndTbl] Manage resources Message-ID: Hello, Right now I'm doing the spreadsheet things so, I need to set myself up with managing my resources better. (i.e. things like IP's, computers, servers, switches, software etc) I like the idea of managing my resources using LDAP objects with a web front end to share with my colleagues. Is anyone doing that and could share what they use? Is there any other OSS product that that may not be LDAP based but you would highly recommend? -Montana Blog and Aggregation Site: http://montanaquiring.info iPhone/Touch Apps I have bought: http://appshopper.com/feed/user/antikx/myapps -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100216/88a3b643/attachment.html From sean at tinfoilhat.ca Tue Feb 16 12:52:08 2010 From: sean at tinfoilhat.ca (Sean Cody) Date: Tue, 16 Feb 2010 12:52:08 -0600 Subject: [RndTbl] Manage resources In-Reply-To: References: Message-ID: For people... we use OpenLDAP. For computers on our SMB+LDAP domain we're using Samba3+OpenLDAP. For random equipment... that's SNMP baby! :P Nagios + SNMP is being built right now for monitoring though I know one of my team in Vancouver is using a free version of SpiceWorks to keep an eye on things. On 2010-02-16, at 12:38 PM, Montana Quiring wrote: > Hello, > > Right now I'm doing the spreadsheet things so, I need to set myself up with managing my resources better. (i.e. things like IP's, computers, servers, switches, software etc) > I like the idea of managing my resources using LDAP objects with a web front end to share with my colleagues. Is anyone doing that and could share what they use? > Is there any other OSS product that that may not be LDAP based but you would highly recommend? > > -Montana > Blog and Aggregation Site: > http://montanaquiring.info > iPhone/Touch Apps I have bought: > http://appshopper.com/feed/user/antikx/myapps > _______________________________________________ > Roundtable mailing list > Roundtable at muug.mb.ca > http://www.muug.mb.ca/mailman/listinfo/roundtable -- Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100216/9dd29851/attachment.html From montanaq at gmail.com Tue Feb 16 13:31:45 2010 From: montanaq at gmail.com (Montana Quiring) Date: Tue, 16 Feb 2010 13:31:45 -0600 Subject: [RndTbl] Manage resources In-Reply-To: References: Message-ID: cool thanks for all the feedback. -Montana Blog and Aggregation Site: http://montanaquiring.info iPhone/Touch Apps I have bought: http://appshopper.com/feed/user/antikx/myapps On Tue, Feb 16, 2010 at 12:52 PM, Sean Cody wrote: > For people... we use OpenLDAP. > > For computers on our SMB+LDAP domain we're using Samba3+OpenLDAP. > For random equipment... that's SNMP baby! :P > > Nagios + SNMP is being built right now for monitoring though I know one of > my team in Vancouver is using a free version of SpiceWorks to keep an eye on > things. > > On 2010-02-16, at 12:38 PM, Montana Quiring wrote: > > Hello, > > Right now I'm doing the spreadsheet things so, I need to set myself up with > managing my resources better. (i.e. things like IP's, computers, servers, > switches, software etc) > I like the idea of managing my resources using LDAP objects with a web > front end to share with my colleagues. Is anyone doing that and could share > what they use? > Is there any other OSS product that that may not be LDAP based but you > would highly recommend? > > -Montana > Blog and Aggregation Site: > http://montanaquiring.info > iPhone/Touch Apps I have bought: > http://appshopper.com/feed/user/antikx/myapps > _______________________________________________ > Roundtable mailing list > Roundtable at muug.mb.ca > http://www.muug.mb.ca/mailman/listinfo/roundtable > > > -- > Sean > > > > _______________________________________________ > Roundtable mailing list > Roundtable at muug.mb.ca > http://www.muug.mb.ca/mailman/listinfo/roundtable > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100216/ddba7029/attachment.html From robert at cluenet.org Tue Feb 16 17:11:23 2010 From: robert at cluenet.org (Robert Keizer) Date: Tue, 16 Feb 2010 16:11:23 -0700 Subject: [RndTbl] Manage resources In-Reply-To: References: Message-ID: I'm mostly doing the nagios/snmp.. If you have any questions wig setting up either one give me a shout.. Btw: banff is nice :) Robert On Feb 16, 2010, at 11:52 AM, Sean Cody wrote: > Nagios + SNMP is being built right now for monitoring though I know > one of my team in Vancouver is using a free version of SpiceWorks to > keep an eye on things. > > On 2010-02-16, at 12:38 PM, Montana Quiring wrote: > >> Hello, >> >> Right now I'm doing the spreadsheet things so, I need to set myself >> up with managing my resources better. (i.e. things like IP's, >> computers, servers, switches, software etc) >> I like the idea of managing my resources using LDAP objects with a >> web front end to share with my colleagues. Is anyone doing that and >> could share what they use? >> Is there any other OSS product that that may not be LDAP based but >> you would highly recommend? >> >> -Montana >> Blog and Aggregation Site: >> http://montanaquiring.info >> iPhone/Touch Apps I have bought: >> http://appshopper.com/feed/user/antikx/myapps >> _______________________________________________ >> Roundtable mailing list >> Roundtable at muug.mb.ca >> http://www.muug.mb.ca/mailman/listinfo/roundtable > > -- > Sean > > > _______________________________________________ > Roundtable mailing list > Roundtable at muug.mb.ca > http://www.muug.mb.ca/mailman/listinfo/roundtable -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100216/2ccdd7c0/attachment.html From kel at kelweb.ca Wed Feb 17 21:00:05 2010 From: kel at kelweb.ca (Kelly Leveille) Date: Wed, 17 Feb 2010 21:00:05 -0600 Subject: [RndTbl] firewall/router in a VM Message-ID: Hi All, I'm considering setting up a firewall/router in a virtual machine to seperate a couple networks in my home. I intend to dedicate one of the host NICs to the WAN port of the router VM & will not load a TCP stack for that NIC in the host OS (ESXi supports this config). In theory, this configuration is as secure as a hardware router because packets can only be routed via the VM. My questions are: Have any of you had any good/bad experiences with this type of setup & are there potential security risks I'm not considering? Also, if you think this is not as secure as a hardware based solution, please explain why not. I'm not doing it to save money. I am aware that I could do the same thing with a consumer router. I'm just interested in the possibility. Thanks, -- Kelly -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100217/5a82faff/attachment.html From sean at ertw.com Wed Feb 17 21:45:16 2010 From: sean at ertw.com (Sean Walberg) Date: Wed, 17 Feb 2010 21:45:16 -0600 Subject: [RndTbl] Anyone want a SunBlade 100? Message-ID: I have a SunBlade 100 I don't use. Just the chassis, about the size of a regular desktop machine. Not sure of the specs, but I'm pretty sure it has Solaris 8 on it. I'll even throw in a "Solaris 8 essential reference" guide :) Anyone want it? Sean -- Sean Walberg http://ertw.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100217/fd4a68ca/attachment.html From swalberg at gmail.com Wed Feb 17 21:52:17 2010 From: swalberg at gmail.com (Sean Walberg) Date: Wed, 17 Feb 2010 21:52:17 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: References: Message-ID: If you don't have to submit to the wrath of an auditor, it's probably good enough. In terms of security risks, your hypervisor/host OS needs to be locked down, as an attacker could present the WAN NIC to another guest and route it that way, or launch a new VM with both NICs. Again, not something to worry about at home. FWIW, the auditors I've run up against, especially in PCI, don't look at the virtual switching in a virtual environment the way they do on a physical switch. That is, they won't blink if you separate two networks with VLANs, but put two VMs on different VLANs using a trunk to the ESX server and oh boy... Sean On Wed, Feb 17, 2010 at 9:00 PM, Kelly Leveille wrote: > Hi All, > > I'm considering setting up a firewall/router in a virtual machine to > seperate a couple networks in my home. I intend to dedicate one of the host > NICs to the WAN port of the router VM & will not load a TCP stack for that > NIC in the host OS (ESXi supports this config). In theory, this > configuration is as secure as a hardware router because packets can only be > routed via the VM. > > My questions are: > > Have any of you had any good/bad experiences with this type of setup & are > there potential security risks I'm not considering? > > Also, if you think this is not as secure as a hardware based solution, > please explain why not. > > I'm not doing it to save money. I am aware that I could do the same thing > with a consumer router. I'm just interested in the possibility. > > Thanks, > -- > Kelly > _______________________________________________ > Roundtable mailing list > Roundtable at muug.mb.ca > http://www.muug.mb.ca/mailman/listinfo/roundtable > > -- Sean Walberg http://ertw.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100217/6ca5ec46/attachment.html From athompso at athompso.net Wed Feb 17 22:20:52 2010 From: athompso at athompso.net (Adam Thompson) Date: Thu, 18 Feb 2010 04:20:52 +0000 Subject: [RndTbl] firewall/router in a VM Message-ID: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> That's because we don't, collectively, think about hardware. And we don't think about hardware being buggy. And we especially don't think about "hardware" having inherent security flaws. (OK, yes, the security folks who crossed over *into* IT do. They aren't auditors, for better or worse.) A Cisco router is "software" enough (and has had enough bugs :-) that it crosses into our conscious awareness regarding security, but their switches? Nah. Mature product, all hardware (despite running an OS), no bugs. Either works or it doesn't. Bullshit. Show me a hardware-accelerated device and I can show you half a dozen ways it could fail unnoticed, (potentially) compromising security as it goes. Notice that we install local firewalls on every PC but don't use ECC memory to guard against random bit errors. (I do, BTW - even on my PC. It's one small part of why I don't have a laptop.) A HERF gun is a better DoS tool than any virus or worm, by several objective measurements. The entire IT industry has its head stuck up... you know where, in so many different ways. Yet, this isn't surprising. Humans want instant gratification, a free ride, and the illusion of control. Those things are all way easier with software than with hardware. (Contemplate the difference between "soft" and "hard", if you will, for a moment.) Do I expect this to change any time before the heat death of the universe? No. But I sure wish auditors took a wider view of the world. "Never attribute to malice that which can be adequately explained by stupidity." - Hanlon's Razor (among other attributions) -Adam From athompso at athompso.net Thu Feb 18 11:05:11 2010 From: athompso at athompso.net (Adam Thompson) Date: Thu, 18 Feb 2010 11:05:11 -0600 Subject: [RndTbl] News: TPM chip hacked Message-ID: <4B7D7347.8090709@athompso.net> http://www.google.com/hostednews/ap/article/ALeqM5j-OodvoFRhEcpfvnK5C7YL6JWJBQD9DO79A81 *cough* Yeah, that's good timing after the rant I posted yesterday :-) -Adam From swalberg at gmail.com Thu Feb 18 11:21:46 2010 From: swalberg at gmail.com (Sean Walberg) Date: Thu, 18 Feb 2010 11:21:46 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> References: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> Message-ID: What you say is not untrue, but the larger issues (IMHO) are that: 1. Most people design such that they avoid trouble and confrontation. 2. Most IT auditors have no IT experience. For #1, most people have lost the ability to rationally assess risk. No one wants to be the guy to say "I saved $xxxxx by specing a lower box that will still handle the load" or some variation of that when that's the first decision that's going to be looked at if there is a problem. In most cases the IT department has lost touch with the business value they provide. So we get this proliferation of redundant servers and network gear that sits idle. There is an aspect of hardware to it, though. Developers tend to assume they are writing to a machine that executes commands in zero clock cycles, has infinite memory, and has a network with zero latency and infinite bandwidth. Rather than try and correct these misunderstandings, IT will throw money at the problem to make it run and not get blamed. For #2, I'm not sure what else has to be said. I have only met one auditor who I respect and actually gets these kind of discussions. He explained to me that he understood some of these things made no technical difference, but the problem was to convince every other auditor. Sometimes it's easier just to bite the bullet and do things sub-optimally rather than having to spend several hours explaining it each time the (new) audit team comes around. Back to #1, the cost of being right is high and the benefits are almost nil. With respects to your arguments you're mixing data durability and data loss prevention. They are both aspects of security (eg, mitigating risk), but I'm sure that most IT departments would agree that they are more worried about a critical Excel spreadsheet getting in the hands of the media or competition than they are having Excel crash because of a memory error. The cost and likelihood of the former dwarf that of the latter. Sean On Wed, Feb 17, 2010 at 10:20 PM, Adam Thompson wrote: > > That's because we don't, collectively, think about hardware. And we don't > think about hardware being buggy. And we especially don't think about > "hardware" having inherent security flaws. > > (OK, yes, the security folks who crossed over *into* IT do. They aren't > auditors, for better or worse.) > > A Cisco router is "software" enough (and has had enough bugs :-) that it > crosses into our conscious awareness regarding security, but their switches? > Nah. Mature product, all hardware (despite running an OS), no bugs. > Either works or it doesn't. > > Bullshit. > > Show me a hardware-accelerated device and I can show you half a dozen ways > it could fail unnoticed, (potentially) compromising security as it goes. > > Notice that we install local firewalls on every PC but don't use ECC memory > to guard against random bit errors. (I do, BTW - even on my PC. It's one > small part of why I don't have a laptop.) A HERF gun is a better DoS tool > than any virus or worm, by several objective measurements. > > The entire IT industry has its head stuck up... you know where, in so many > different ways. > > Yet, this isn't surprising. Humans want instant gratification, a free > ride, and the illusion of control. Those things are all way easier with > software than with hardware. (Contemplate the difference between "soft" and > "hard", if you will, for a moment.) > > Do I expect this to change any time before the heat death of the universe? > No. But I sure wish auditors took a wider view of the world. > > "Never attribute to malice that which can be adequately explained by > stupidity." - Hanlon's Razor (among other attributions) > > > -Adam > -- Sean Walberg http://ertw.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100218/8a1d75ab/attachment.html From wyatt at prairieturtle.ca Thu Feb 18 21:09:26 2010 From: wyatt at prairieturtle.ca (Daryl F) Date: Thu, 18 Feb 2010 21:09:26 -0600 (CST) Subject: [RndTbl] firewall/router in a VM In-Reply-To: References: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> Message-ID: Personally I find there is another aspect of data security that is often overlooked: data accuracy. As the owner of valuable data I want it protected from loss and private but I also want it to be correct. There are many who believe that an application always crashes when there is an undetected memory error but that is not always the case. One of the most difficult problems to track down is caused when data resides in flaky RAM and then is written to disk where it is faithfully recorded inaccurately forever. Hardly anyone writes code to see if their spreadsheet adds 2+2, comes up with 4, then saves it to disk as a 5 via a DMA transfer from bad RAM. Eventually some program blows up executing from the bad RAM and it is finally replaced but now we have some amount of bad data floating around on durable media. I'm constantly astonished by the amount of corrected ECC memory errors I see over time in the servers I care for. The DIMMs eventually fail but I feel more secure knowing corrupt data was never transferred from place to place. While auditors may have convinced their customers it is really important to have data security and data durability have you ever heard any of them ask their customers if they are OK with data inaccuracy? I think non-ECC memory should be illegal. Somebody's gonna lose an eye and it won't be funny any more. -Daryl On Thu, 18 Feb 2010, Sean Walberg wrote: > What you say is not untrue, but the larger issues (IMHO) are that: > > 1. Most people design such that they avoid trouble and confrontation. > 2. Most IT auditors have no IT experience. > > For #1, most people have lost the ability to rationally assess risk. No one > wants to be the guy to say "I saved $xxxxx by specing a lower box that will > still handle the load" or some variation of that when that's the first > decision that's going to be looked at if there is a problem. In most cases > the IT department has lost touch with the business value they provide. So we > get this proliferation of redundant servers and network gear that sits idle. > > There is an aspect of hardware to it, though. Developers tend to assume they > are writing to a machine that executes commands in zero clock cycles, has > infinite memory, and has a network with zero latency and infinite bandwidth. > Rather than try and correct these misunderstandings, IT will throw money at > the problem to make it run and not get blamed. > > For #2, I'm not sure what else has to be said. I have only met one auditor > who I respect and actually gets these kind of discussions. He explained to > me that he understood some of these things made no technical difference, but > the problem was to convince every other auditor. Sometimes it's easier just > to bite the bullet and do things sub-optimally rather than having to spend > several hours explaining it each time the (new) audit team comes around. > Back to #1, the cost of being right is high and the benefits are almost nil. > > With respects to your arguments you're mixing data durability and data loss > prevention. They are both aspects of security (eg, mitigating risk), but I'm > sure that most IT departments would agree that they are more worried about a > critical Excel spreadsheet getting in the hands of the media or competition > than they are having Excel crash because of a memory error. The cost > and likelihood of the former dwarf that of the latter. > > Sean > > On Wed, Feb 17, 2010 at 10:20 PM, Adam Thompson wrote: > >> >> That's because we don't, collectively, think about hardware. And we don't >> think about hardware being buggy. And we especially don't think about >> "hardware" having inherent security flaws. >> >> (OK, yes, the security folks who crossed over *into* IT do. They aren't >> auditors, for better or worse.) >> >> A Cisco router is "software" enough (and has had enough bugs :-) that it >> crosses into our conscious awareness regarding security, but their switches? >> Nah. Mature product, all hardware (despite running an OS), no bugs. >> Either works or it doesn't. >> >> Bullshit. >> >> Show me a hardware-accelerated device and I can show you half a dozen ways >> it could fail unnoticed, (potentially) compromising security as it goes. >> >> Notice that we install local firewalls on every PC but don't use ECC memory >> to guard against random bit errors. (I do, BTW - even on my PC. It's one >> small part of why I don't have a laptop.) A HERF gun is a better DoS tool >> than any virus or worm, by several objective measurements. >> >> The entire IT industry has its head stuck up... you know where, in so many >> different ways. >> >> Yet, this isn't surprising. Humans want instant gratification, a free >> ride, and the illusion of control. Those things are all way easier with >> software than with hardware. (Contemplate the difference between "soft" and >> "hard", if you will, for a moment.) >> >> Do I expect this to change any time before the heat death of the universe? >> No. But I sure wish auditors took a wider view of the world. >> >> "Never attribute to malice that which can be adequately explained by >> stupidity." - Hanlon's Razor (among other attributions) >> >> >> -Adam >> > > From kevin.a.mcgregor at gmail.com Fri Feb 19 10:26:53 2010 From: kevin.a.mcgregor at gmail.com (Kevin McGregor) Date: Fri, 19 Feb 2010 10:26:53 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: <6756caf11002190707p2051ab60w797bb6167b0b4825@mail.gmail.com> References: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> <6756caf11002190707p2051ab60w797bb6167b0b4825@mail.gmail.com> Message-ID: <6756caf11002190826r25a18622t3286a7288cbf3f72@mail.gmail.com> Hmm: Kingston ValueRAM 4GB PC3-10600 DDR3 SDRAM ECC Kit (2 x 2GB)...or $40/GB at Memory Express (special order, though). Is that reasonable? Do people generally trust Kingston for RAM? On Fri, Feb 19, 2010 at 9:07 AM, Kevin McGregor wrote: > While we're on the topic, what sort of desktop-PC motherboards are > available that support ECC memory? I've never really paid attention, so for > all I know, ECC support is common. > > > On Thu, Feb 18, 2010 at 9:09 PM, Daryl F wrote: > >> Personally I find there is another aspect of data security that is often >> overlooked: data accuracy. As the owner of valuable data I want it >> protected from loss and private but I also want it to be correct. >> >> There are many who believe that an application always crashes when there >> is an undetected memory error but that is not always the case. One of the >> most difficult problems to track down is caused when data resides in flaky >> RAM and then is written to disk where it is faithfully recorded >> inaccurately forever. >> >> Hardly anyone writes code to see if their spreadsheet adds 2+2, comes up >> with 4, then saves it to disk as a 5 via a DMA transfer from bad RAM. >> Eventually some program blows up executing from the bad RAM and it is >> finally replaced but now we have some amount of bad data floating around >> on durable media. >> >> I'm constantly astonished by the amount of corrected ECC memory errors I >> see over time in the servers I care for. The DIMMs eventually fail but I >> feel more secure knowing corrupt data was never transferred from place to >> place. >> >> While auditors may have convinced their customers it is really important >> to have data security and data durability have you ever heard any of them >> ask their customers if they are OK with data inaccuracy? >> >> I think non-ECC memory should be illegal. Somebody's gonna lose an eye and >> it won't be funny any more. >> >> -Daryl >> >> >> On Thu, 18 Feb 2010, Sean Walberg wrote: >> >> > What you say is not untrue, but the larger issues (IMHO) are that: >> > >> > 1. Most people design such that they avoid trouble and confrontation. >> > 2. Most IT auditors have no IT experience. >> > >> > For #1, most people have lost the ability to rationally assess risk. No >> one >> > wants to be the guy to say "I saved $xxxxx by specing a lower box that >> will >> > still handle the load" or some variation of that when that's the first >> > decision that's going to be looked at if there is a problem. In most >> cases >> > the IT department has lost touch with the business value they provide. >> So we >> > get this proliferation of redundant servers and network gear that sits >> idle. >> > >> > There is an aspect of hardware to it, though. Developers tend to assume >> they >> > are writing to a machine that executes commands in zero clock cycles, >> has >> > infinite memory, and has a network with zero latency and infinite >> bandwidth. >> > Rather than try and correct these misunderstandings, IT will throw money >> at >> > the problem to make it run and not get blamed. >> > >> > For #2, I'm not sure what else has to be said. I have only met one >> auditor >> > who I respect and actually gets these kind of discussions. He explained >> to >> > me that he understood some of these things made no technical difference, >> but >> > the problem was to convince every other auditor. Sometimes it's easier >> just >> > to bite the bullet and do things sub-optimally rather than having to >> spend >> > several hours explaining it each time the (new) audit team comes around. >> > Back to #1, the cost of being right is high and the benefits are almost >> nil. >> > >> > With respects to your arguments you're mixing data durability and data >> loss >> > prevention. They are both aspects of security (eg, mitigating risk), but >> I'm >> > sure that most IT departments would agree that they are more worried >> about a >> > critical Excel spreadsheet getting in the hands of the media or >> competition >> > than they are having Excel crash because of a memory error. The cost >> > and likelihood of the former dwarf that of the latter. >> > >> > Sean >> > >> > On Wed, Feb 17, 2010 at 10:20 PM, Adam Thompson > >wrote: >> > >> >> >> >> That's because we don't, collectively, think about hardware. And we >> don't >> >> think about hardware being buggy. And we especially don't think about >> >> "hardware" having inherent security flaws. >> >> >> >> (OK, yes, the security folks who crossed over *into* IT do. They >> aren't >> >> auditors, for better or worse.) >> >> >> >> A Cisco router is "software" enough (and has had enough bugs :-) that >> it >> >> crosses into our conscious awareness regarding security, but their >> switches? >> >> Nah. Mature product, all hardware (despite running an OS), no bugs. >> >> Either works or it doesn't. >> >> >> >> Bullshit. >> >> >> >> Show me a hardware-accelerated device and I can show you half a dozen >> ways >> >> it could fail unnoticed, (potentially) compromising security as it >> goes. >> >> >> >> Notice that we install local firewalls on every PC but don't use ECC >> memory >> >> to guard against random bit errors. (I do, BTW - even on my PC. It's >> one >> >> small part of why I don't have a laptop.) A HERF gun is a better DoS >> tool >> >> than any virus or worm, by several objective measurements. >> >> >> >> The entire IT industry has its head stuck up... you know where, in so >> many >> >> different ways. >> >> >> >> Yet, this isn't surprising. Humans want instant gratification, a free >> >> ride, and the illusion of control. Those things are all way easier >> with >> >> software than with hardware. (Contemplate the difference between >> "soft" and >> >> "hard", if you will, for a moment.) >> >> >> >> Do I expect this to change any time before the heat death of the >> universe? >> >> No. But I sure wish auditors took a wider view of the world. >> >> >> >> "Never attribute to malice that which can be adequately explained by >> >> stupidity." - Hanlon's Razor (among other attributions) >> >> >> >> >> >> -Adam >> >> >> > >> > >> _______________________________________________ >> Roundtable mailing list >> Roundtable at muug.mb.ca >> http://www.muug.mb.ca/mailman/listinfo/roundtable >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100219/854c42d2/attachment.html From kevin.a.mcgregor at gmail.com Fri Feb 19 09:07:24 2010 From: kevin.a.mcgregor at gmail.com (Kevin McGregor) Date: Fri, 19 Feb 2010 09:07:24 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: References: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> Message-ID: <6756caf11002190707p2051ab60w797bb6167b0b4825@mail.gmail.com> While we're on the topic, what sort of desktop-PC motherboards are available that support ECC memory? I've never really paid attention, so for all I know, ECC support is common. On Thu, Feb 18, 2010 at 9:09 PM, Daryl F wrote: > Personally I find there is another aspect of data security that is often > overlooked: data accuracy. As the owner of valuable data I want it > protected from loss and private but I also want it to be correct. > > There are many who believe that an application always crashes when there > is an undetected memory error but that is not always the case. One of the > most difficult problems to track down is caused when data resides in flaky > RAM and then is written to disk where it is faithfully recorded > inaccurately forever. > > Hardly anyone writes code to see if their spreadsheet adds 2+2, comes up > with 4, then saves it to disk as a 5 via a DMA transfer from bad RAM. > Eventually some program blows up executing from the bad RAM and it is > finally replaced but now we have some amount of bad data floating around > on durable media. > > I'm constantly astonished by the amount of corrected ECC memory errors I > see over time in the servers I care for. The DIMMs eventually fail but I > feel more secure knowing corrupt data was never transferred from place to > place. > > While auditors may have convinced their customers it is really important > to have data security and data durability have you ever heard any of them > ask their customers if they are OK with data inaccuracy? > > I think non-ECC memory should be illegal. Somebody's gonna lose an eye and > it won't be funny any more. > > -Daryl > > > On Thu, 18 Feb 2010, Sean Walberg wrote: > > > What you say is not untrue, but the larger issues (IMHO) are that: > > > > 1. Most people design such that they avoid trouble and confrontation. > > 2. Most IT auditors have no IT experience. > > > > For #1, most people have lost the ability to rationally assess risk. No > one > > wants to be the guy to say "I saved $xxxxx by specing a lower box that > will > > still handle the load" or some variation of that when that's the first > > decision that's going to be looked at if there is a problem. In most > cases > > the IT department has lost touch with the business value they provide. So > we > > get this proliferation of redundant servers and network gear that sits > idle. > > > > There is an aspect of hardware to it, though. Developers tend to assume > they > > are writing to a machine that executes commands in zero clock cycles, has > > infinite memory, and has a network with zero latency and infinite > bandwidth. > > Rather than try and correct these misunderstandings, IT will throw money > at > > the problem to make it run and not get blamed. > > > > For #2, I'm not sure what else has to be said. I have only met one > auditor > > who I respect and actually gets these kind of discussions. He explained > to > > me that he understood some of these things made no technical difference, > but > > the problem was to convince every other auditor. Sometimes it's easier > just > > to bite the bullet and do things sub-optimally rather than having to > spend > > several hours explaining it each time the (new) audit team comes around. > > Back to #1, the cost of being right is high and the benefits are almost > nil. > > > > With respects to your arguments you're mixing data durability and data > loss > > prevention. They are both aspects of security (eg, mitigating risk), but > I'm > > sure that most IT departments would agree that they are more worried > about a > > critical Excel spreadsheet getting in the hands of the media or > competition > > than they are having Excel crash because of a memory error. The cost > > and likelihood of the former dwarf that of the latter. > > > > Sean > > > > On Wed, Feb 17, 2010 at 10:20 PM, Adam Thompson >wrote: > > > >> > >> That's because we don't, collectively, think about hardware. And we > don't > >> think about hardware being buggy. And we especially don't think about > >> "hardware" having inherent security flaws. > >> > >> (OK, yes, the security folks who crossed over *into* IT do. They aren't > >> auditors, for better or worse.) > >> > >> A Cisco router is "software" enough (and has had enough bugs :-) that it > >> crosses into our conscious awareness regarding security, but their > switches? > >> Nah. Mature product, all hardware (despite running an OS), no bugs. > >> Either works or it doesn't. > >> > >> Bullshit. > >> > >> Show me a hardware-accelerated device and I can show you half a dozen > ways > >> it could fail unnoticed, (potentially) compromising security as it goes. > >> > >> Notice that we install local firewalls on every PC but don't use ECC > memory > >> to guard against random bit errors. (I do, BTW - even on my PC. It's > one > >> small part of why I don't have a laptop.) A HERF gun is a better DoS > tool > >> than any virus or worm, by several objective measurements. > >> > >> The entire IT industry has its head stuck up... you know where, in so > many > >> different ways. > >> > >> Yet, this isn't surprising. Humans want instant gratification, a free > >> ride, and the illusion of control. Those things are all way easier with > >> software than with hardware. (Contemplate the difference between "soft" > and > >> "hard", if you will, for a moment.) > >> > >> Do I expect this to change any time before the heat death of the > universe? > >> No. But I sure wish auditors took a wider view of the world. > >> > >> "Never attribute to malice that which can be adequately explained by > >> stupidity." - Hanlon's Razor (among other attributions) > >> > >> > >> -Adam > >> > > > > > _______________________________________________ > Roundtable mailing list > Roundtable at muug.mb.ca > http://www.muug.mb.ca/mailman/listinfo/roundtable > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100219/ec9dd779/attachment-0001.html From athompso at athompso.net Fri Feb 19 11:17:13 2010 From: athompso at athompso.net (Adam Thompson) Date: Fri, 19 Feb 2010 11:17:13 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: <6756caf11002190707p2051ab60w797bb6167b0b4825@mail.gmail.com> References: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> <6756caf11002190707p2051ab60w797bb6167b0b4825@mail.gmail.com> Message-ID: <4B7EC799.1060407@athompso.net> On 2010-Feb-19 09:07, Kevin McGregor wrote: > While we're on the topic, what sort of desktop-PC motherboards are > available that support ECC memory? I've never really paid attention, so > for all I know, ECC support is common. Not very many. The only non-server-grade chipset I'm aware of that supports ECC is Intel's X58, as embodied in their WX58BP motherboard. Which sells for (typically) just under $300. That's at the cheap end of things, anyway. (vis. Dell Precision T3500, for anywhere from $1400 to $13,000 depending on configuration!) Note that this also requires a Xeon CPU, which thankfully isn't much more than its non-Xeon siblings. The one that's most sensibly priced is the Intel W3520, at somewhere around $350. There's an X38 chipset as well, which may support ECC, but it appears to be pretty rare on the ground in any case. The *only* example I've found of a shipping system is the Dell Precision T3400! The X38 & X58 are single-socket solutions; the Intel 5500-series chipsets support dual-CPU configurations. The 5500 series is billed as both a "workstation" and a "server" chipset - take your pick. Dell currently markets two workstations based on the 5520. From what I can tell, ECC is the primary differentiator between "desktop" and "workstation" class systems right now. Xeon support seems to be the 2nd-order discriminant. Although that's not really a hard-and-fast rule. Dell, for example, bases their T1500 "workstation" on the P55/H57 chipset, which does not support ECC. Of course, that's the only workstation they do sell without ECC - and not even the cheapest one! - so I'll forgive them that :-). I'm not aware of any nVidia chipsets that support ECC. Some AMD Opteron-supporting chipsets should support ECC, but I'm not familiar with that part of the market at all. -Adam From athompso at muug.mb.ca Fri Feb 19 11:24:20 2010 From: athompso at muug.mb.ca (Adam Thompson) Date: Fri, 19 Feb 2010 11:24:20 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: <6756caf11002190826r25a18622t3286a7288cbf3f72@mail.gmail.com> References: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> <6756caf11002190707p2051ab60w797bb6167b0b4825@mail.gmail.com> <6756caf11002190826r25a18622t3286a7288cbf3f72@mail.gmail.com> Message-ID: <4B7EC944.90300@muug.mb.ca> On 2010-Feb-19 10:26, Kevin McGregor wrote: > Kingston ValueRAM 4GB PC3-10600 DDR3 SDRAM ECC Kit (2 x 2GB) > ...or $40/GB at Memory Express (special order, though). Is that > reasonable? Do people generally trust Kingston for RAM? The price is reasonable, not fantastic. The PC3-1300 ram is probably cheaper, and most likely will work fine in a PC3-1060 motherboard, BTW. (Which is why PC3-1060 RAM is often special-order now.) Trust: absolutely, yes. Kingston has a reputation of delivering better-than-OEM quality in their top-line OEM-replacement series, and I've been using their ValueRAM line consistently without problems for about 10 years now. I only know of three instances - ever - where Kingston RAM had to be returned, at which point their lifetime warranty definitely counted in their favour. The difference between their ValueRAM line and the OEM line is essentially, they build ValueRAM "to spec" (well, actually slightly better than spec) and guarantee it'll work as intended, not necessarily in your particular motherboard; whereas the OEM stuff they build to spec and actually validate it in one or more samples of the specific targeted systems, and it's guaranteed to work in system X if they say it will. I've noticed that some of the (expensive!) ValueRAM modules appear to be identical to the more expensive OEM-replacement modules; apparently you're paying more for the validation and warranty than for any actual difference in product. -Adam From swalberg at gmail.com Fri Feb 19 11:31:56 2010 From: swalberg at gmail.com (Sean Walberg) Date: Fri, 19 Feb 2010 11:31:56 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: <4B7EC944.90300@muug.mb.ca> References: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> <6756caf11002190707p2051ab60w797bb6167b0b4825@mail.gmail.com> <6756caf11002190826r25a18622t3286a7288cbf3f72@mail.gmail.com> <4B7EC944.90300@muug.mb.ca> Message-ID: On Fri, Feb 19, 2010 at 11:24 AM, Adam Thompson wrote: > > Trust: absolutely, yes. Kingston has a reputation of delivering > better-than-OEM quality in their top-line OEM-replacement series, and > I've been using their ValueRAM line consistently without problems for > about 10 years now. > An interesting article about Kingston flash memory and quality, or lack thereof. http://www.bunniestudios.com/blog/?p=918 Sean -- Sean Walberg http://ertw.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100219/caaa9607/attachment.html From athompso at muug.mb.ca Fri Feb 19 12:36:39 2010 From: athompso at muug.mb.ca (Adam Thompson) Date: Fri, 19 Feb 2010 12:36:39 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: References: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> <6756caf11002190707p2051ab60w797bb6167b0b4825@mail.gmail.com> <6756caf11002190826r25a18622t3286a7288cbf3f72@mail.gmail.com> <4B7EC944.90300@muug.mb.ca> Message-ID: <4B7EDA37.3010803@muug.mb.ca> On 2010-Feb-19 11:31, Sean Walberg wrote: > An interesting article about Kingston flash memory and quality, or lack > thereof. > http://www.bunniestudios.com/blog/?p=918 Hm. My take on it would be "an interesting article about counterfeit parts showing up in mainstream distribution channels", which is something else no-one wants to think about. *sigh* First time I've run into the term "ghost shift" regarding unauthorized production of parts at the OEM's own facilities. Interesting concept. -Adam From sean at tinfoilhat.ca Fri Feb 19 12:39:43 2010 From: sean at tinfoilhat.ca (Sean Cody) Date: Fri, 19 Feb 2010 12:39:43 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: <4B7EDA37.3010803@muug.mb.ca> References: <1105778248-1266466846-cardhu_decombobulator_blackberry.rim.net-2034846348-@bda464.bisx.prod.on.blackberry> <6756caf11002190707p2051ab60w797bb6167b0b4825@mail.gmail.com> <6756caf11002190826r25a18622t3286a7288cbf3f72@mail.gmail.com> <4B7EC944.90300@muug.mb.ca> <4B7EDA37.3010803@muug.mb.ca> Message-ID: I'm seeing more and more counter-fit or unauthorized distribution channels all the damned time. Picked up a pile of drives from CBIT last year and 25% of them were from Thailand and their warranty's were not honoured outside of Asia/Pacific. Now we do warranty lookups on every drive we order. On 2010-02-19, at 12:36 PM, Adam Thompson wrote: > On 2010-Feb-19 11:31, Sean Walberg wrote: >> An interesting article about Kingston flash memory and quality, or lack >> thereof. >> http://www.bunniestudios.com/blog/?p=918 > > Hm. My take on it would be "an interesting article about counterfeit > parts showing up in mainstream distribution channels", which is > something else no-one wants to think about. *sigh* > First time I've run into the term "ghost shift" regarding unauthorized > production of parts at the OEM's own facilities. Interesting concept. > -Adam > _______________________________________________ > Roundtable mailing list > Roundtable at muug.mb.ca > http://www.muug.mb.ca/mailman/listinfo/roundtable -- Sean From kel at kelweb.ca Fri Feb 19 17:25:06 2010 From: kel at kelweb.ca (Kelly Leveille) Date: Fri, 19 Feb 2010 17:25:06 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: References: Message-ID: Ahem...I hope you don't mind getting back to my original issue: Sean W, can you elaborate on the security risks to the host? I guess the core issue for me is to understand if there are actually any additional security vulnerabilities because it's virtualised. What is the attack vectorCan a hypervisor be compromised by traffic to one of it's guests when there is no IP stack loaded for the host? I understand that the real danger is that if one of the guests were compromised it may expose the configuration/virtualisation/networking features of the host but that doesn't mean a VM guest/router is any less secure than a hardware router. The compromise is in the router OS & that's the same for a hardware router. Thoughts? Kelly On Wed, Feb 17, 2010 at 9:52 PM, Sean Walberg wrote: > If you don't have to submit to the wrath of an auditor, it's probably good > enough. > > In terms of security risks, your hypervisor/host OS needs to be locked > down, as an attacker could present the WAN NIC to another guest and route it > that way, or launch a new VM with both NICs. Again, not something to worry > about at home. > > FWIW, the auditors I've run up against, especially in PCI, don't look at > the virtual switching in a virtual environment the way they do on a physical > switch. That is, they won't blink if you separate two networks with VLANs, > but put two VMs on different VLANs using a trunk to the ESX server and oh > boy... > > Sean > > On Wed, Feb 17, 2010 at 9:00 PM, Kelly Leveille wrote: > >> Hi All, >> >> I'm considering setting up a firewall/router in a virtual machine to >> seperate a couple networks in my home. I intend to dedicate one of the host >> NICs to the WAN port of the router VM & will not load a TCP stack for that >> NIC in the host OS (ESXi supports this config). In theory, this >> configuration is as secure as a hardware router because packets can only be >> routed via the VM. >> >> My questions are: >> >> Have any of you had any good/bad experiences with this type of setup & are >> there potential security risks I'm not considering? >> >> Also, if you think this is not as secure as a hardware based solution, >> please explain why not. >> >> I'm not doing it to save money. I am aware that I could do the same thing >> with a consumer router. I'm just interested in the possibility. >> >> Thanks, >> -- >> Kelly >> _______________________________________________ >> Roundtable mailing list >> Roundtable at muug.mb.ca >> http://www.muug.mb.ca/mailman/listinfo/roundtable >> >> > > > -- > Sean Walberg http://ertw.com/ > -- Kelly -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100219/adaf70a6/attachment.html From athompso at athompso.net Fri Feb 19 17:43:55 2010 From: athompso at athompso.net (Adam Thompson) Date: Fri, 19 Feb 2010 23:43:55 +0000 Subject: [RndTbl] firewall/router in a VM Message-ID: <1151339389-1266623026-cardhu_decombobulator_blackberry.rim.net-1632321290-@bda464.bisx.prod.on.blackberry> The potential intrusion vector is, as you've guessed, through the hypervisor. (Or the host OS, where applicable.) The fact that no-one can even articulate a coherent attack plan hasn't prevented the entire security industry from generating Microsoftish amounts of FUD. You'll have to evaluate for yourself - how much do you trust your VM vendor to write bug-free code to handle incoming packets and pass them on? This does touch on almost every facet of a hypervisor, so it's not an academic question. Logically, you aren't exposing any new vulnerabilities. In fact, though, you are opening up a new potential intrusion vector. As far as I can tell, everyone in the argument seems to derive their authority from one comment by Schneier; if anyone has any sources with actual data (empirical, theoretical or experimental) please let me know. Personally, I trust VM programmers to get patches out quickly, and I trust the paranoiacs to blatt about news of any new compromise, enough to be willing to do the sort of thing you're talking about. (Having said that, although I'm *willing* to, I will note that I *don't* do so in real life.) The one aspect to it, though, is that compromise of the hypervisor essentially means instant, complete, utter, irreversible compromise of *all* the VMs (including non-running disk images!) that server has direct access to. That is a little bit worrisome. -Adam From tim at fractaldragon.net Fri Feb 19 19:47:35 2010 From: tim at fractaldragon.net (Tim Lavoie) Date: Fri, 19 Feb 2010 19:47:35 -0600 Subject: [RndTbl] UNS: Re: firewall/router in a VM In-Reply-To: <1151339389-1266623026-cardhu_decombobulator_blackberry.rim.net-1632321290-@bda464.bisx.prod.on.blackberry> (sfid-20100219_185334_236445_2A2815F4) References: <1151339389-1266623026-cardhu_decombobulator_blackberry.rim.net-1632321290-@bda464.bisx.prod.on.blackberry> (sfid-20100219_185334_236445_2A2815F4) Message-ID: <16263.1266630455@fractaldragon.net> Adam Thompson wrote: > [snip] > > Personally, I trust VM programmers to get patches out quickly, and I > trust the paranoiacs to blatt about news of any new compromise, enough > to be willing to do the sort of thing you're talking about. > > (Having said that, although I'm *willing* to, I will note that I > *don't* do so in real life.) > > The one aspect to it, though, is that compromise of the hypervisor > essentially means instant, complete, utter, irreversible compromise of > *all* the VMs (including non-running disk images!) that server has > direct access to. That is a little bit worrisome. I think the salient point here is that you can do these things, if you're willing to do them in an intelligent fashion. So, you monitor the host like you would monitor the guest you care most about, and avoid exposing the host unnecessarily. Also, keep that "everything exposed if any one piece is" idea in mind when deciding what may work well together on one physical host. On that *other* topic, compliance issues concerned with things like PCI at least help drive home the need for some wide-ranging security efforts to the business folks, because it is tied to how they make their money. Anyone believing that compliance will eliminate the possibility of a breach should be corrected ASAP, but making an effort means that the business is more likely to know they got owned, and understand that they need to do something about it. In the interest of disclosure, I should mention that I am a QSA.... probably a pain in the ass for those needing help, but hopefully neither clueless nor evil. Well, the lesser evil anyway. Nobody likes being told they can't do something. Cheers, Tim -- Believe it or not, there is a reason Lisp code looks so strange. Lisp doesn't look this way because it was designed by a bunch of pointy-headed academics. It was designed by pointy-headed academics, but they had hard-headed engineering reasons for making the syntax look so strange. - Paul Graham From swalberg at gmail.com Fri Feb 19 19:48:15 2010 From: swalberg at gmail.com (Sean Walberg) Date: Fri, 19 Feb 2010 19:48:15 -0600 Subject: [RndTbl] firewall/router in a VM In-Reply-To: References: Message-ID: The attacks against it that I can see: 1. As Adam pointed out, someone exploits some esoteric flaw in the hypervisor to float packets from the outside to the inside even though you've configured it not to (or some variant of this, such as getting the hypervisor to listen to packets even though you've configured it not to) 2. Someone gets into the host and reconfigures one of the VMs to see the outside NIC, too, or otherwise reconfigures the networking to do something you didn't expect, including putting an IP stack on that interface and exposing the hypervisor to the world. 3. Someone gets into the hypervisor and pokes and peeks directly into your firewall. Everything else, as you pointed out, is a problem that exists with physical devices. And, as Adam touched on, if some of the conditions above hold true, you may have worse things to worry about. Back to reality. It all comes down to risk management. What is it that you're trying to protect? Are you trying to segment off your children so they don't look at pr0n? Are you doing it more for interest's sake? Are you protecting the schedule of a known terrorist whom the Mossad is trying to kill? Each one of these has a different level of risk, and the threats above are more or less likely. For fun and teen-purity-protection your configuration is OK. For the last one, you're worrying about a more sophisticated attacker. What you're doing is going to be OK for most attacks. Doing it (properly, I add) is not going to open any doors that would be breakable by anyone but the most determined attacker. If that attacker were capable of the above, then I think he's got much higher value victims out there ;) Sean On Fri, Feb 19, 2010 at 5:25 PM, Kelly Leveille wrote: > Ahem...I hope you don't mind getting back to my original issue: > > Sean W, can you elaborate on the security risks to the host? I guess the > core issue for me is to understand if there are actually any additional > security vulnerabilities because it's virtualised. What is the attack > vectorCan a hypervisor be compromised by traffic to one of it's guests > when there is no IP stack loaded for the host? > > I understand that the real danger is that if one of the guests were > compromised it may expose the configuration/virtualisation/networking > features of the host but that doesn't mean a VM guest/router is any less > secure than a hardware router. The compromise is in the router OS & that's > the same for a hardware router. > > Thoughts? > > > Kelly > > On Wed, Feb 17, 2010 at 9:52 PM, Sean Walberg wrote: > >> If you don't have to submit to the wrath of an auditor, it's probably good >> enough. >> >> In terms of security risks, your hypervisor/host OS needs to be locked >> down, as an attacker could present the WAN NIC to another guest and route it >> that way, or launch a new VM with both NICs. Again, not something to worry >> about at home. >> >> FWIW, the auditors I've run up against, especially in PCI, don't look at >> the virtual switching in a virtual environment the way they do on a physical >> switch. That is, they won't blink if you separate two networks with VLANs, >> but put two VMs on different VLANs using a trunk to the ESX server and oh >> boy... >> >> Sean >> >> On Wed, Feb 17, 2010 at 9:00 PM, Kelly Leveille wrote: >> >>> Hi All, >>> >>> I'm considering setting up a firewall/router in a virtual machine to >>> seperate a couple networks in my home. I intend to dedicate one of the host >>> NICs to the WAN port of the router VM & will not load a TCP stack for that >>> NIC in the host OS (ESXi supports this config). In theory, this >>> configuration is as secure as a hardware router because packets can only be >>> routed via the VM. >>> >>> My questions are: >>> >>> Have any of you had any good/bad experiences with this type of setup & >>> are there potential security risks I'm not considering? >>> >>> Also, if you think this is not as secure as a hardware based solution, >>> please explain why not. >>> >>> I'm not doing it to save money. I am aware that I could do the same thing >>> with a consumer router. I'm just interested in the possibility. >>> >>> Thanks, >>> -- >>> Kelly >>> _______________________________________________ >>> Roundtable mailing list >>> Roundtable at muug.mb.ca >>> http://www.muug.mb.ca/mailman/listinfo/roundtable >>> >>> >> >> >> -- >> Sean Walberg http://ertw.com/ >> > > > > -- > Kelly > -- Sean Walberg http://ertw.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100219/a4288ceb/attachment-0001.html From athompso at athompso.net Fri Feb 19 21:29:17 2010 From: athompso at athompso.net (Adam Thompson) Date: Fri, 19 Feb 2010 21:29:17 -0600 Subject: [RndTbl] Inventory software Message-ID: <4B7F570D.80009@athompso.net> Someone (I think it was Montana?) was asking recently about inventory software. I just saw a reference that jogged my memory regarding one of the standards in the field: OCS-NG. Check it out at http://www.ocsinventory-ng.org/ -Adam From athompso at athompso.net Mon Feb 22 21:54:06 2010 From: athompso at athompso.net (Adam Thompson) Date: Mon, 22 Feb 2010 21:54:06 -0600 Subject: [RndTbl] Firewalls in VMs Message-ID: <4B83515E.2090707@athompso.net> It's perhaps worth noting that any example of IaaS (Infrastructure As A Service) deals with the same issues that Kelly will be dealing with. This is typical of "cloud" computing; in fact, Amazon EC2 is perhaps the largest public cloud provider, and any firewalls, A-V scanners, IDS engines and other security-related pieces of infrastructure are running in VMs, whether that's immediately evident to the end user or not. (Linux-based EC2 instances are all, AFAIK, Xen DomU instances. I suspect Windows EC2 instances also run under Xen, but I've never researched that.) So, at the very least, a whole bunch of quite large companies have decided that yes, it *is* OK to host security services on virtualized hardware. By the same token, I'm quite certain that Citrix provides a *very* different level of support to Amazon than they'll provide to you or me! -Adam From athompso at muug.mb.ca Mon Feb 22 21:57:50 2010 From: athompso at muug.mb.ca (Adam Thompson) Date: Mon, 22 Feb 2010 21:57:50 -0600 Subject: [RndTbl] Firewalls in VMs In-Reply-To: <4B83515E.2090707@athompso.net> References: <4B83515E.2090707@athompso.net> Message-ID: <4B83523E.9060109@muug.mb.ca> I meant to make reference in my last e-mail to the current issue of the Internet Protocol Journal (IPJ) from Cisco, particularly the article "Cloud Computing: A Primer" at http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-4/124_cloud2.html . (For those who aren't network specialists, yes, Cisco publishes the IPJ, but it maintains a very good record of being vendor- and product-agnostic. It is not, to be clear, a peer-reviewed academic journal, although all articles are reviewed by its editorial board before publication.) -Adam From kel at kelweb.ca Thu Feb 25 19:10:07 2010 From: kel at kelweb.ca (Kelly Leveille) Date: Thu, 25 Feb 2010 19:10:07 -0600 Subject: [RndTbl] popularity of linux distros Message-ID: <422301cab680$716d2d50$544787f0$@kelweb.ca> Hey all, The following article has some interesting stats on the popularity of the various Linux distros over the last few years: http://lunduke.com/?p=1023 UBUNTU #1, UBUNTU #1 - Wooooo! ;-) Kelly -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100225/5ce9eaa6/attachment.html From athompso at athompso.net Thu Feb 25 23:06:53 2010 From: athompso at athompso.net (Adam Thompson) Date: Thu, 25 Feb 2010 23:06:53 -0600 Subject: [RndTbl] new phone passes 250dpi mark Message-ID: <4B8756ED.8020308@athompso.net> Apparently the new Google Nexus One phone made by HTC has a 400x800 OLED display that works out to 252.15 pixels per inch - while the iPhone 3GS has a pretty high-res display, I think this is a new record for a production, mainstream product. Other than backlighting-related issues (causing eye fatigue faster than reflective displays) this would probably make a pretty darn good e-book reader. And phone. And music player. And almost everything else. FYI, it comes with a 1GHz CPU. Sure, it's not going to be a great CPU but 1GHz is also, AFAIK, a new record in the standard phone form-factor. What I find interesting is that it took us almost twenty years to come out with a reasonably-available high-resolution display again. IBM had a (approx.) 200dpi display available in the early '90s. I think they sold well into the double-digit unit quantities :-). (It was probably still profitable - I remember the unit price being around $160k at the time.) Since then, mainstream displays ramped from 75dpi up to 100dpi fairly quickly - and stayed there for 15 years. Almost every LCD you can buy today (excluding "digital signage" models) is between 96dpi and 108dpi. Oh, and the phone is Android-based - which means it's running on Linux. -Adam From john at johnlange.ca Fri Feb 26 09:32:46 2010 From: john at johnlange.ca (John Lange) Date: Fri, 26 Feb 2010 09:32:46 -0600 Subject: [RndTbl] new phone passes 250dpi mark In-Reply-To: <4B8756ED.8020308@athompso.net> References: <4B8756ED.8020308@athompso.net> Message-ID: <1267198366.32118.3.camel@linux-k6vx.site> On Thu, 2010-02-25 at 23:06 -0600, Adam Thompson wrote: > Oh, and the phone is Android-based - which means it's running on Linux. And it's not available in Canada. -- John Lange http://www.johnlange.ca From athompso at athompso.net Fri Feb 26 10:22:19 2010 From: athompso at athompso.net (Adam Thompson) Date: Fri, 26 Feb 2010 10:22:19 -0600 Subject: [RndTbl] new phone passes 250dpi mark In-Reply-To: References: <4B8756ED.8020308@athompso.net> Message-ID: <4B87F53B.6000504@athompso.net> On 2010-Feb-26 08:49, Shawn Wallbridge wrote: > The Nokia 770 had an 800x400 display as well, but it was 4.13" diagonally. I thought the N-series were a little under 150dpi, but my calculations actually indicate it was just over 200dpi (216dpi if the screen was 2:1 with square pixels; that's probably close but not quite right) - which is quite a bit higher than I had thought. Good catch. The jump from 216dpi to 252dpi isn't all that big. The Nokias also run Linux, and, of some practical importance, are actually available in Canada. I believe some of our members own N-series units of varying vintages. -Adam From gjditchfield at acm.org Fri Feb 26 21:43:31 2010 From: gjditchfield at acm.org (Glen Ditchfield) Date: Fri, 26 Feb 2010 21:43:31 -0600 Subject: [RndTbl] new phone passes 250dpi mark Message-ID: <1267242211.1446.6.camel@Nokia-N800-43-7> On 2010-Feb-26 08:49, Shawn Wallbridge wrote: > The Nokia 770 had an 800x400 display as well, > but it was 4.13" diagonally. 800X480, for 225 dpi. The N900 tablet/phone has a 3.5" 800x480 at 267 dpi screen. ... And Adam wrote > I believe some of our members own > N-series units of varying vintages. This was pecked out on an N800. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100226/cde01411/attachment.html