Archive for the 'Computers' Category

A few more words of advice for used equipment sellers

Today I’m going to expand on the advice I provided in my earlier post, “A few words of advice for used equipment sellers“. Today I’m going to address the issues with “As-Is / Not Working / For Parts Only” listing types. These are terms used by eBay, but this advice also applies to anyone else selling equipment in this category.

In general, this type of item is offered by sellers at a lower price in the hope of recovering some money from a piece of equipment that is either not operating properly or is not able to be tested by the seller. Some sellers are very scrupulous about describing the equipment, providing lots of pictures and as much information as they know about the item. At the other end are sellers who use a stock photograph and product description, perhaps with some words like “Couldn’t power on – didn’t test.”

Any buyer who purchases items in this category is hoping to find a bargain by ending up with a piece of working equipment after performing minimal repairs. [There are probably people who buy this material for other purposes, such as scrap metal recovery, components for artwork, and so on, but I’ll leave those out of this discussion.] As such, you (as the seller) want to provide as much information as possible to potential buyers so you both end up with a good experience.

There are quite a few categories of “untested / not working”, and I’ll go through these from best to worst:

  • Unable to test / Not tested – this means that the seller lacks the ability to test the item, either because it is a sub-component of a larger device the seller does not have, lack of necessary cabling to connect it, or due to it requiring specialized test / calibration equipment. Items in this category are truly untested and may or may not work. This category should NOT be used for items that the seller did test, but were found to be non-operational. It should also NOT be used for equipment with obvious physical defects which would make the unit not fit for use.
  • Tested to power on only – this means the seller was able to apply power to the unit and it did something. Perhaps the seller lacked cabling or test equipment to perform further tests. Any observed behavior (patterns and colors of indicator lights, fans turning / not turning, unusual beeps or other noises, etc.) should be described in detail. Like the above category, it should not have any of the defects noted by NOT.
  • Tested, found defective – this means that the seller was able to perform further testing and determined that there was indeed a problem with the unit. The seller should clearly state the nature of the defect (to whatever extent they investigated), such as “no console output”, “Status light solid red”, “displays fatal error message”, and so forth. Again, any physical defects would bump this to a lower category.
  • Tested, found defective, investigated in depth – in this category, the seller has somewhat more knowledge of the device and has done further investigation. There might be concealed damage or the seller might have disassembled the unit to investigate further. Essential components may have been found to be missing. Any results of the investigation should be included in the listing, and the seller should return the unit to the condition as found (re-installing all components, including case screws, etc.) or note in the listing why this was not done.
  • Physical damage, repairable – the device has some sort of physical damage which renders it partially or completely unusable, such as damaged connectors, bent or broken components, etc. The damage should be described as completely as possible, preferably with good quality photographs of the damaged areas. Buyers should evaluate the usability of the device without using the damaged areas or their ability to repair the damage. Note that modern electronic equipment often uses surface-mount components on multi-layer circuit boards, meaning that the skills and equipment needed to perform the repairs are beyond the reach of most users.
  • Physical damage, non-repairable – the device has obvious physical damage which would prevent it from being repaired or being usable as a complete unit. Sometimes it may be possible to salvage components from the device (power supplies, faceplate, memory, etc.). The damage should be described as completely as possible, preferably with good quality photographs of the damaged and un-damaged components.

Now, I’d like to provide a few examples of actual listings that I’ve purchased, and what I’ve found. I am not naming any sellers here, since it is possible that they received the item from somewhere “up the food chain” and did not investigate it completely.

  1. Catalyst WS-C4948-10GE switch – Listing simply said “Being sold AS IS for Parts or Not working. Power on but no console. No return, No refunds. AS IS!!!“. The listing also included pictures of the device, including one which showed the status LED being red.

    When I received this unit, the first thing I did was open it up to make sure there were no loose parts inside. During this inspection I discovered that 12 of the 14 screws that hold the cover on were missing and that the memory battery backup battery had been ripped off the main board (and was nowhere to be found inside the chassis). I also found that all of the screws holding the main board to the chassis were loose (but at least they were all present). Based on this, I determined that someone had been inside the unit already and had diagnosed it at least as far as removing the main board.

    I contacted the seller and they said they received it that way from the company that was using it, and the company ripped the battery off to erase the config because they were “security conscious”.

    Soldering in a new battery was not sufficient to get the switch working. I suspected the problem might be due to defective memory components soldered onto the main board, as described in this Cisco Field Notice. I ordered a tray of memory chips from a specialist in obsolete components (they are long-discontinued DDR333 parts) and replaced the two chips on the underside of the board. Since the ones on the bottom were made by Micron and the 3 on the top were from Samsung, I guessed (correctly, as it turned out) that the fault was in the Micron ones.

    After reinstalling the main board in the chassis and powering the switch up, I was greeted with the normal startup messages on the console*. After enabling priv mode in ROMMON, I tested the memory for an hour or so and it passed without errors. I then updated the ROMMON and IOS to the latest versions and gave the switch a 72-hour burn-in test, which it passed. Not bad for $255 plus another $10 in replacement memory chips and an hour or so’s work.

    * To my amusement, it appears that the battery on this switch is only used to maintain the date/time, not power the configuration memory. When the switch booted up after I repaired it, it put up a full-page banner with dire warnings about accessing the network without authorization, part of the saved config file that it had retained the whole while.

  2. More items to be added as I purchase them. – scan or scam?

One of my occasional consulting customers called me in a panic because all of their HP printers printed out the same page at the same time:

Accept-Encoding: gzip, deflate, compress
Accept: */*
User-Agent: IPv4Scan (+

Now, I have nothing against most network measurement bots. Most are useful, and the rest are usually well-intentioned, even if they are counterproductive. The one thing these have in common is that they have a page that tells you what they’re doing, why they’re doing it, and who to contact if you have further questions.

The page does none of those:

Screen capture

There is no contact information provided on the page, there is no statement of how the data is being used (other than that it is “not for sale, rental or release”). The web page source does not contain any useful contact information, either. So they’re collecting this data for their own, unspecified, purposes.

Ok, maybe it is legit, just with a spectacularly bad public relations campaign. Let’s look and see who is behind this:

(0:115) host:~terry# jwhois
Domain Name: IPV4SCAN.COM
Registry Domain ID: 1824307886_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2013-08-30T10:37:11Z
Creation Date: 2013-08-30T10:21:44Z
Registrar Registration Expiration Date: 2014-08-30T10:21:44Z
Registrar: Corp.
Registrar IANA ID: 814
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Fundacion Private Whois
Registrant Street: Attn:, Aptds. 0850-00056
Registrant City: Panama
Registrant State/Province:
Registrant Postal Code: Zona 15
Registrant Country: PA
Registrant Phone: +507.65967959
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Fundacion Private Whois
Admin Street: Attn:, Aptds. 0850-00056
Admin City: Panama
Admin State/Province:
Admin Postal Code: Zona 15
Admin Country: PA
Admin Phone: +507.65967959
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: Fundacion Private Whois
Tech Street: Attn:, Aptds. 0850-00056
Tech City: Panama
Tech State/Province:
Tech Postal Code: Zona 15
Tech Country: PA
Tech Phone: +507.65967959
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:
Name Server:
Name Server:
Name Server:
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
>>> Last update of WHOIS database: 2014-04-29T05:00:41Z <<<

Ok, so they're hiding behind a privacy service, but seem to be located in Panama. Let's see if the IP address they're using matches:

(0:116) host:~terry# host has address mail is handled by 5 mail is handled by 5
(0:117) host:~terry# jwhois
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to ' -'

% Abuse contact for ' -' is ''

inetnum: -
netname: NL-ECATEL
descr: Dedicated servers
country: NL
admin-c: EL25-RIPE
tech-c: EL25-RIPE
mnt-by: ECATEL-MNT
mnt-lower: ECATEL-MNT
mnt-routes: ECATEL-MNT
source: RIPE # Filtered

role: Ecatel LTD
address: P.O.Box 19533
address: 2521 CA The Hague
address: Netherlands
remarks: ----------------------------------------------------
remarks: ECATEL LTD
remarks: Dedicated and Co-location hosting services
remarks: ----------------------------------------------------
remarks: for abuse complaints :
remarks: for any other questions :
remarks: ----------------------------------------------------
admin-c: EL25-RIPE
tech-c: EL25-RIPE
nic-hdl: EL25-RIPE
mnt-by: ECATEL-MNT
source: RIPE # Filtered

% Information related to ''

descr: AS29073, Route object
origin: AS29073
mnt-by: ECATEL-MNT
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.72 (DBC-WHOIS3)

So, they're using an IP address allocated to Ecatel in the Netherlands. Not exactly close to Panama, is it? Let's see if that address is actually in the Netherlands:

(0:118) host:~terry# traceroute
traceroute to (, 64 hops max, 52 byte packets
8 ( 20.530 ms ( 19.664 ms ( 20.657 ms
9 ( 85.582 ms 85.667 ms ( 85.388 ms
10 ( 95.882 ms ( 95.035 ms ( 97.517 ms
11 ( 130.510 ms ( 94.574 ms ( 101.849 ms
12 ( 101.548 ms 118.302 ms 102.141 ms
13 ( 98.234 ms 97.335 ms 96.958 ms

Ok, the server is in Amsterdam, Netherlands. But hiding behind seems suspicious. Let's see where they are:

(0:119) host:~terry# jwhois
[Redirected to]

Domain Name:
Registry Domain ID:
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2014-04-06 03:14:38
Creation Date: 2009-09-08
Registrar Registration Expiration Date: 2015-09-08
Registrar: Onlinenic Inc
Registrar IANA ID: 82
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.5107698492
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Laura Yun
Registrant Organization: Vindo International Ltd.
Registrant Street: Oliaji TradeCenter - 1st floor
Registrant City: Victoria
Registrant State/Province: Mahe
Registrant Postal Code: 5567
Registrant Country: SC
Registrant Phone: +248.6629012
Registrant Phone Ext:
Registrant Fax: +248.24822575500
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name: Laura Yun
Admin Organization: Vindo International Ltd.
Admin Street: Oliaji TradeCenter - 1st floor
Admin City: Victoria
Admin State/Province: Mahe
Admin Postal Code: 5567
Admin Country: SC
Admin Phone: +248.6629012
Admin Phone Ext:
Admin Fax: +248.24822575500
Admin Fax Ext:
Admin Email:
Registry Tech ID:
Tech Name: Laura Yun
Tech Organization: Vindo International Ltd.
Tech Street: Oliaji TradeCenter - 1st floor
Tech City: Victoria
Tech State/Province: Mahe
Tech Postal Code: 5567
Tech Country: SC
Tech Phone: +248.6629012
Tech Phone Ext:
Tech Fax: +248.24822575500
Tech Fax Ext:
Tech Email:
Name Server:
Name Server:
URL of the ICANN WHOIS Data Problem Reporting System:
>>> Last update of WHOIS database: 2014-04-06 03:14:38 <<<

Well, this is definitely fishy. No legitimate survey would be hiding behind so many levels of indirection.

I used the site's form to "opt out" with an email address requesting they contact me about their project. I've also sent email to the abuse contacts shown above, pointing them to this blog entry, in the hope that they can get some sort of explanation from their customer.

In the meantime, you may want to fine-tune your firewall rules to prevent this type of probe. That would (at a minimum) include blocking all outside connection attempts on ports 80 (http) and 443 (https) to anything on your network that is not intended to be a public web server. I cannot recommend using their opt-out form as there is no indication of what they do with the information. For all I know, it has the same effect as sending "unsubscribe" in response to a spam email - it just targets you for more spam.

If I receive any information from my inquiries, I'll update this blog entry accordingly.

Does your bank care about online security? Mine (Citibank) doesn’t…

Updated July 16th to document further idiocy – see the bottom of this post.

Today provided yet another indication that Citibank (and by extension, MasterCard) have absolutely no clue about online security, and past events have shown that they simply don’t care.

As background, I’m sure you remember all the warnings your bank / credit card company gave you about never giving out information to unknown entities, to always make sure that the name of the bank / credit card company is in the URL, and so forth. It sure would be nice if they’d take their own advice…

Today’s experience was triggered by an order on After clicking on the “confirm order” button, I was told that I might be redirected to my bank’s web site to confirm the order. So far so good – I’ve had experiences in the past where every single Newegg order caused my card to be flagged for fraud. But then I was greeted with a web page claiming to be “MasterCard SecureCode”, but with a URL showing “”, which demanded a bunch of sensitive info, including the last 4 digits of my SSN and my billing Zip Code. What the heck? Looks like an obvious phishing site. I let the page sit there while I contacted Citibank MasterCard. The agent said that it was obviously a fake and that I should never enter any info into an online form like that (a statement I strongly agree with). I clicked the “cancel” button and figured that I’d just place my order somewhere else. However, Newegg told me my order had been placed successfully and subsequently sent me an email letting me know that my credit card had been charged.

I then decided to investigate what this “” site was. There aren’t many useful search engine hits, but there is history going back at least seven years, all of which points out the confusing nature of that site. For example:

For an actual scholarly paper about this problem, I suggest reading “Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication“.

If you browse to, you get (as of this writing) a blank page – it doesn’t even return any HTML headers. If by some chance you happen to find, you’ll find a singularly uninformative page which contains such gems as “Call us at your Financial Institution’s support phone.” To be fair, that may just be a generic page not intended to be shown to users.

The main point is that after telling us to never trust unknown web sites, the banks and credit card companies are sending people to just those sorts of sites. Talk about mixed messages!

Compounding this, if you do get a call from the Citibank Fraud Department, it will show up as “Unavailable” or “Private” in Caller ID. While it’s true that Caller ID is easily faked, I’d be more inclined to answer the phone if it didn’t look like a random telemarketing call. For added security, that automated call could simply say “This is a fraud warning about your Citi MasterCard ending in 1234. Please call the number on the back of your card immediately.”

This is not a new problem – I’ve been reporting Citibank’s own email to their anti-phishing department becase my mail server (correctly) flags it as fraudulent due to forged headers. In particular, they like to send out email with the subject “Important information regarding your statement”. It is actually just a canned solicitation to switch to online billing, not “Important information”. But Citibank doesn’t send it themselves – instead, they use companies called and As I said in my unacknowledged complaints to Citibank, “Imagine you got an email claiming to be from the IRS entitled “Important information about your tax return”, where the email was sent from a Yahoo account through a GMail account to you. Wouldn’t you be suspicious? You’re doing the exact same thing with the mail you send out.”

These companies should require the use of their own domains and SSL certificates rather than apparently-unassociated third parties, or at least correct information when users call them and ask if the third-party site is legitimate.

It’s a sad day when I have to admit that PayPal does a much better job with this sort of thing than Citibank does.

This total disregard for security isn’t just in their online communications, either. Citibank started sending me unsolicited “balance transfer” checks in the mail, despite my having gotten them to stop some years ago. I had to call yet again and have my account flagged to not receive them. I said to the phone rep “Who in this day and age thinks sending blank checks in the mail is a good idea?” and she agreed with me. She apparently gets lots of calls about this.

Update as of July 16th:

As I wrote yesterday, I canceled the “MasterCard SecureCode” window and Newegg apparently processed my order, notifying me that they’d received the order and later that it had been successfully charged to my credit card. That’s where things were at the time I wrote the above post.

Last night I received email from Newegg telling me that my order had shipped and tracking information was available, and that I could expect to receive the order on the 17th. That’s excellent service, considering that I had used the “free 4-5 day shipping” option. I figured everything was all set. Little did I know…

Today at 6:37 PM (note that this is at least 12 hours after my Newegg order shipped – talk about “locking the barn door…”) I get the usual “Unavailable” Caller ID phone call from the Citibank Fraud “Early” Warning Department, telling me that my card has been frozen and asking me to confirm that my Newegg purchase was legitimate (oddly, they had no problem with my Amazon purchase later that same day). I told the agent it was, and explained that I’d received the phony-looking SecureCode page and after contacting the same department she was calling me from, who told me it was bogus and to never provide information on that sort of suspicious page, I clicked “cancel”.

The agent proceeded to tell me how important the SecureCode was. She was unable or unwilling (perhaps due to the “script” they’re required to work from) to understand that her department was the one who told me to never provide that information. We went around in circles for about 10 minutes as I tried to get her to understand that, and also to get the point across that they are the ones who say to never provide information to an untrusted 3rd party.

It’s easy enough to dismiss this as “somebody else’s problem”, but the banks, card companies and merchants are covering the losses they incur due to their own stupidity by charging everybody a little more. So it’s everybody’s problem – I just wish the bank could see that it is a problem entirely of their own making.

The GEN IIv7 MOD-6_7971

Carl and Michael recently released the latest version of their MOD-6_7971 Nixie clock. This is pretty much the same hardware as before, but uses a higher-powered radio transmitter in the remote GPS receiver so it can be located further from the clock. There have been a huge number of software changes, however. To give you an idea, the version that shipped with the last batch of clocks was V07-09. The version on this batch is V07-53!

A lot of that was me pestering Carl for changes, but there’s also a lot of other neat new stuff in there.

One other new thing is that the clock now has a 67 page user manual written by me. If I may be permitted to brag a little bit (Ok, a lot!) I think this sets a new standard for Nixie clock documentation. You can read it (and the accompanying updating instructions – you can update any of the older clocks to this software) here:

User Manual
Updating Instructions

For more info or to express interest in ordering a kit or assembled clock from a future batch, visit the MOD-6 page at

MOD-6 Nixie clock

A few words of advice for used equipment sellers

I purchase a good deal of used electronic equipment for both work and personal use. Some of that equipment comes from eBay, some is purchased from companies who sell used equipment for a living. The two aren’t mutually exclusive, of course – there are a number of commercial vendors who sell through eBay as well as their own site.

Used equipment can represent a sizable savings over new, particularly when a manufacturer only has a “list price” and doesn’t offer discounts to any but their largest customers. Of course, you need to consider the cost of any required re-licensing (for example, on Cisco gear) when comparing the used price with new. But a large number of manufacturers make updates available for free to all, and in that cases you can often save a great deal of money. Most used equipment will come with at least a one-week warranty against being defective, but some sellers will offer a longer warranty – up to 1 year is common.

One of the best times for great deals is just as a device is no longer being sold as new by the manufacturer. There’s a further drop once the manufacturer no longer supports it with software updates, spare parts, and so on – but you probably don’t want to buy something that far along unless you plan to use it for spare parts yourself.

That’s the benefit to the buyer. But I’d now like to give some advice to sellers, both to ensure the largest market for their items and to avoid potential problems.

Getting the item ready for sale

  1. If the device has any configuration data, erase it before listing the device for sale.
    • Some devices have no way of resetting them to the default state unless the existing password is given, which means that if the seller doesn’t erase it before selling, the only way a buyer will be able to use it is if the seller is willing to tell them what the password is (not practical if it is the same password the seller is using on equipment they’re still using, or if they don’t know it). Otherwise, the device has to go back to the seller and the transaction voided.
    • Some other devices have a “reset the password only” option, or (insecurely) a “backdoor” password that works on all units. If the user does that, they will have access to the entire configuration of the device as the seller last used it – at a minimum, things like IP addresses, SNMP communities, and so on. Potentially even more sensitive information like access lists can be disclosed. Additionally, at least two major brands of devices have the (undocumented, but widely known) ability to read or decrypt the original password cleartext once a password recovery procedure is performed.
    • This is particularly important for disk drives and other storage media. Even if the drives were part of a RAID set, it might still be possible to recover chunks of data from individual drives. You can use a utility such as DBAN to erase drives that are still in the system. It offers a variety of erasure options, from a simple “write zeros to the whole drive” to multiple erase passes with random data. Note that even with this type of erasure, it may still be possible to recover data from certain areas of the disk (replaced defective sectors, for example). If you (or your company) doesn’t want to take the risk, you can remove the drives – but read on for a suggestion about disk trays and mounting hardware.
  2. If you’re selling something like a server and your company policy requires removal of the drives before the sale, put the empty hot-swap drive trays back in the server instead of trashing them with the drives. If the trays require oddball hardware to hold the drives in, put the screws in a small plastic bag and tape them securely to the disk tray(s). The buyer will thank you as they won’t have to scavenge for drive trays to get the server running with new drives.
  3. Unless you’re explicitly selling the item “as-is” or “non-working”, please test it before listing it. Having a 14-day (or longer) “no questions asked” return policy is nice, but neither the buyer nor you want to deal with shipping defective items back and forth. For some items, this can simply be installing (or leaving) them in a system and seeing if they work. Mechanical items like disk drives need some additional testing. Modern drives (anything in the last decade or so) have S.M.A.R.T. testing built in, so it is a simple matter to use something like smartmontools to test the drive and see if it has any problems before listing it. Just today I received a pair of SAS drives, each with less than 30 power-on hours on them, which had over 50 media errors each and had been logging S.M.A.R.T. errors since new (the first failure was logged at 0 power-on hours).
  4. Along with the above, it would be helpful to update the device to the latest available firmware “while you’re in there”, if that is something the manufacturer allows. I’ve received devices that were so old that several intermediate firmware updates were needed to get them to the current revision. In a number of those cases, the intermediate updates were themselves so old that the manufacturer had removed them from their web site as obsolete. That requires the user to go on a “scavenger hunt” through potentially untrustworthy sites to try to find firmware. Another reason to update before selling is that in some cases, the update procedure will only work in the specific brand of equipment the device came from. An example is Dell network cards – the Dell Server Update Utility only runs on Dell-branded servers. Dell network cards are mostly-generic Broadcom, Intel, etc. cards but often have Dell listed in the PCI Vendor ID on the card. This means that generic firmware updates from the manufacturer may fail to recognize the card. To continue my example, even if the user is putting the card in a Dell server, unless Dell offered the specific option card for the user’s server, the appropriate Server Update Utility may not detect / update it.

Listing the item for sale

  1. Be as descriptive as possible when listing the item. To give a specific example of why this is a problem, look for “PowerEdge R300” on eBay. That model was available with or without hot-swap drives and with or without redundant power supplies. It is not possible to convert a chassis from any of those configurations to another. Many times a seller will just say something like “PowerEdge R300 Quad-core 2.33GHz 4GB 2x 146GB HDD”. That doesn’t convey much useful information – in addition to the chassis type, it would be useful to know the exact CPU model, whether the disks are SATA or SAS and if there’s an add-on disk controller in the system, and whether or not there’s a remote access card. This is made even worse by the sellers that say “Stock photo” or “Photo may not represent actual item”. To add insult to injury, some of those same sellers will say “if it isn’t in the picture, it isn’t included” in the body of the listing. Dell’s web site is pretty good – if you know the “service tag” of a system, Dell’s site will show you the configuration as it shipped from Dell. Of course, the seller or a previous owner may have added, removed, or modified components, so don’t take the Dell list as the last word. As the seller, you can go to the Dell site and copy/paste the configuration into your sale listing once you verify that it’s accurate.
  2. If you’re selling something that isn’t an add-on component (like a network card or a disk drive), but can function as a standalone device (like a server, Ethernet switch or network-controlled outlet strip), provide all of the necessary accessories with it or explain clearly that they’re missing. This definitely includes rack mount ears/rails (if the device is rack mountable) and console cables (no two vendors do exactly the same thing once you get to anything newer than 9-pin serial connectors). If the device has cable-management hardware (bracket, etc.) and you have it, include that with the item. Likewise for the faceplate. It is also thoughtful to include the required power cord, at least if the seller and the buyer use the same type of electrical outlets. This isn’t vital, as there are a small number of possible mating power cords for modern equipment. But the buyer will usually appreciate your thoughfulness, particularly if it is an unsual cord like an IEC C20 and they have to order one once they receive your shipment.

Shipping the item to the buyer

Pack the item well, preferably using the original manufacturer packaging (if still available). You’d be amazed at the way some stuff arrives here. I’ve received memory DIMMs ratlling around loose inside a cardboard box. I’ve received servers where parts of the chassis were dented or damaged (usually parts that protrude beyond the basic rectangular shape, but sometimes the main chassis itself). I’ve received devices with glass faceplates that were smashed. I’ve received boxes where the cardboard was too thin for the weight of the item and has ripped during normal handling, with accessories falling out of the box and being lost in transit.

I’d like to be able to say “just take the item to your nearest parcel store and have them pack and ship it”, but that’s generally not a good idea. It seems that their solution for shipping anything is a thin-wall cardboard box and packing peanuts. Those peanuts are not acceptable for anything that might shift around or settle in the box. With enough practice, it is possible to ship fragile items using common materials – I have purchased many items from ex-Soviet countries where the contents were packaged entirely (but carefully) in newspaper and placed in a cardboard box and which arrived here in perfect condition despite their international travel and the rough handling of various foreign postal services.

Large items are generally either heavy or are light enough that they get charged “dimensional weight”, where the shipping company charges the package as if it weighs a certain amount per cubic inch. In general, the cost of reasonable insurance (value up to some hundreds of dollars) will be a small part of the total shipping cost, so it makes sense to insure the package. If you have to file a claim, be aware that you will often be asked to provide proof of adequate packaging before the shipping company will process the claim. I know of one company that took pictures of each box while it was being packaged and retained those pictures, both to deal with shipping damage claims and to prove that a certain item was in the box when it was shipped.


If, as a seller, you follow these steps I think you will find that your items will sell faster and your customers will be happier. And if I’m the customer, I’ll definitely be happier.

Dell PowerEdge R300 ESM / BMC firmware updates on non-supported operating systems

Dell has generally been quite good about making firmware updates available in a variety of formats. In addition to the normal Windows and Linux versions, most patches are also available as a floppy / USB image or an ISO image (depending on size). Those of us who don’t run one of the operating systems Dell provides support for appreciate them going through the trouble.

However, newer updates for older systems and updates for newer systems seem to no longer provide standalone installers. In theory, Dell provides a quarterly packaged roll-up of all available updates on a pair of DVD images (CDU and SUU). Booting these and wasting about 10 minutes switching discs should get your system updated to the latest versions of all firmware without any additional steps.

Unfortunately, the firmware for the R300’s ESM / BMC has not been on any SUU discs I’ve looked at, and the update is listed as “Critical Security Update” on Dell’s site (look under ESM on the R300’s downloads and drivers page). The only two formats it is available in are “Windows Update Package” and “Linux Update Package”. I figure that’s not a problem, as I can boot a Windows 7 recovery disk and then run the ESM update from a USB drive. Unfortunately, that doesn’t work. You get an error about “unsupported operating system”.

Next, I boot the CDU DVD and select F3 for Advanced Options. This eventually gets me to a Linux shell prompt (CDU/SUU operates under Linux). I mount the USB drive and execute the Linux version of the ESM update. That errors out with “Not compatible with your system configuration” for some unknown reason. Time to investigate further…

Clicking on “Previous Versions” on the Dell page shows the previous version as 2.46 from 2009. Looking at the available formats, one is listed as “Hard-Drive”. Depending on the mood Dell is in when they create the kit, this could be anything from a freestanding binary that writes a floppy image to a drive, to creating an ISO file, or something that just unpacks into a bunch of loose files somewhere, perhaps then trying to run them (incorrectly) on the local system.

I downloaded that file (link here) and discovered it created 3 useful files when it was executed:

  • bmcfl16d.exe – a DOS-based flash utility
  • bmccfg.def – some sort of configuration file
  • bmcflsh.dat – the actual firmware to be flashed

Now all I needed to do was to find newer versions of the last 2 files inside either the Linux or Windows installer. The Linux installer was a pain, and I quickly gave up on it. I had much better luck with the Windows version (link here). Despite being an EXE file, I was able to use WinZip 16.5 to open the file (browse to the directory where you downloaded the Dell update, then make sure you’ve selected “All files (*.*)” in WinZip’s Open Archive dialog). There’s a whole load of un-needed stuff in there (which doesn’t completely explain how a 655KB update turns into a 4800KB Windows binary). Find the bmccfg.def and bmcflsh.dat files and extract them on top of (replacing) the ones from unpacking the older download.

I copied the 3 files onto a bootable USB stick and then used that to boot the R300 to be updated. Here are some screnshots of the various stages of the procedure (it’s very simple – just answer Y or N when asked if you want to perform the update):

If the firmware is already at the latest revision, the utility will tell you that and exit. This can also be used to double-check that the update was successful:

That’s all there is to it. If you want a pre-built .ZIP file with the flash utility and the 2.50 image, I have placed one here for your convenience.

Advanced topics

The bmcfl16d.exe utility has a number of documented and undocumented additional features. You can use the -help option to get a list of the documented features. Before using one of these features when updating a system, be sure you know what you’re doing and have a fallback plan in case the update fails and you’re left with a non-operable system.

There is also an undocumented -advhelp (advanced help) option, which shows the additional undocumented options:

The above caution about knowing what you’re doing and having a fallback plan is doubly important if you try using any of the advanced options.

[Another] New Year, new UPS batteries…

Four years ago, I wrote about replacing the batteries in each of the UPS systems I had here. After nearly 4 years, the batteries were near the end of their useful life, and the week-long power outage after Hurricane Sandy (and the follow-on outages once the power finally came back on) finished them off.

I contacted Batteryspec / Tempest (who I’d used for the last big order, as well as for some smaller orders since then) to get current pricing and shipping info. They were back-ordered on the battery type that the Symmetra uses, and shipping costs (which they have no control over) had increased quite a bit since my last big order.

While I’ve been very pleased with Tempest’s product and service, I figured it couldn’t hurt to shop around, particularly as I was looking at a several-week delay before Tempest had their units back in stock. One of the replies to my original post was from Ken Kostecki, whose company carries the Enersys line of batteries. I decided to send him an email message with the list of batteries I was looking for, asking for pricing and shipping costs. He responded right away and gave me good pricing on the batteries and a much lower freight cost – understandable, since the batteries would be coming from less than 1000 miles away, instead of 3000 miles away. At this weight (1500+ pounds), UPS is out of the question – this type of shipment is normally done with a “Less than truckload” (LTL) shipper. He also confirmed that the date codes on the batteries were recent, and even offered to unpack and charge them for me if I wanted. I said that it wasn’t important as long as the batteries were fresh.

After explaining to Ken that I lived on a narrow side street, didn’t have a loading dock and needed a day’s notice so I’d be home, he confirmed that the shipping quote was still good. [In the past, I’ve had experiences where the shipping company didn’t call first and showed up when nobody was home, then charged a $200 “re-delivery fee” – that can clobber any cost savings that the order started out with. I’ve also had 53′ trailers pull up on the next major street over and tell me to come unload their truck, which didn’t have a lift gate. Carrying 1500 lbs of batteries a block and a half is not my idea of fun. Hence wanting to make sure that everything was all set for curbside delivery.]

Within a few days, the batteries arrived in perfect condition, boxed and wrapped on a pair of pallets. I loaded them into the house and began the process of installing them in the various UPS systems – quite a task, as there were around 160 batteries of various sizes, ranging from the small ones used in the Symmetra to car-battery-sized ones used in the Matrix 5000.

As I replaced the batteries in each UPS, I checked the battery float voltage. Incorrect voltage is the thing that will kill batteries the fastest – if the UPS thinks the batteries need to be “topped up”, it will continuously pump power into the batteries, causing them to overheat and eventually swell and burst. APC units (particularly the smaller ones) seem to drift out of adjustment over time, almost invariably in the direction of overcharging the batteries. The Symmetra and Matrix units were fine. The smaller Smart-UPS units I have (700VA to 3000VA) were all out-of-spec by varying amounts. I had to disassemble a pair of SU1000 units in order to get the batteries out, as they had swelled up so much that they couldn’t be removed without disassembling the battery compartment. I don’t consider this to be a problem with the previous Tempest batteries – it is definitely because the UPS’s cooked them.

I followed the unofficial procedure described here to adjust the float voltage on each UPS to the low side of the acceptable range, since I figure that any future aging will continue to shift toward the high side. After bench-testing each UPS for a few days, I placed them back into service. One of the SU1000’s decided it didn’t want to work properly when hooked up to its load (a Dell mini-tower system). After studying it for some time, I decided I’d be better off simply replacing it, rather than trying to find out what was wrong. Fortunately, there are usually a large number of similar units on eBay, often with a “needs batteries” or “does not include batteries” disclaimer – which was perfect as I had a set of brand new batteries. I located a nice SUA1000 (without batteries) for $85 with free shipping. It had a late 2008 date code, which was perfect – units older than that tend to start developing problems, while newer ones have better charging circuitry but are designed to keep manufacturing costs down. After it arrived, I put the new batteries in it, checked the float voltage, and placed it into service. I now had 8 good UPS systems with new batteries.

One of the things I did was to add 2 more “XR” battery packs to my “life support” UPS. This is the unit that provides power to a pair of electric space heaters (for emergency use only), my stereo / TV, cell phone and other battery chargers, and so forth. It will now power all of that stuff for a little over 2 days (vs. 1 day previously), or even longer if I shut down some of the devices it powers. In the past, I’d never had a power failure lasting more than 24 hours, but the electric utility has proven that they’re woefully unprepared for major disasters.

Back on the subject of the batteries – I’ve been very pleased with the service I received from Ken at Engineered Power Systems – give him a call / email if you’re looking for batteries at a good price with great service:

Ken Kostecki
Engineered Power Systems
St. Louis, MO

[I’m not posting his email address, in order to keep address-harvesting spambots away – visit his web site for email contact info.]

The GEN II MOD-6_7971

H Carl Ott and Michael Barile recently released the GEN II version of their fabulous MOD-6_7971 Nixie clock, and I ordered several kits from them. The new version adds GPS time synchronization, either via a GPS receiver plugged into the back of the clock, or by using an RF-Link repeater module which talks to the clock over short-range 2.4GHz radio. This clock uses the B-7971 Nixie tube, which displays alphanumeric characters 2½” tall.

The RF-Link lets you completely avoid the problem of needing to position the clock within a few feet of a window or resort to using a bunch of PS/2 extension cords. Now you can put the clock exactly where you want it. The RF-Link remote also includes an indoor temperature sensor and a pushbutton which can be used to remotely turn the clock display on and off.

I have a separate page here describing the clock, but I’m adding a link here so people can find it, and also to facilitate comments (while the actual clock page doesn’t support comments, you can comment here).

Here’s a couple of teaser pictures – click either picture for more info:

MOD-6 Nixie clock

MOD-6 RF-Link

For more info or to order a kit or assembled clock, visit the MOD-6 page at

SOPA (and Go Daddy’s FORMER support for it)

Updated 23-Dec-2011 18:30: I received an email response to my letter stating that “Go Daddy is no longer supporting SOPA”. I’ll attach the complete response as the first comment to this post.

There had been a bit of an Internet buzz about SOPA (the Stop Online Piracy Act). Yesterday, Tom’s Guide reported that Go Daddy published a blog entry supporting SOPA. There are a number of sites organizing “boycott Go Daddy” programs and advocating the transfer of domains to other registrars, for example in this post on Reddit and this one on TechCrunch.

As someone who has registered a number of domains with Go Daddy, I wrote them a letter expressing my dissatisfaction with their policy. I’m including it in this blog entry, as I feel that others need to see it as well. Feel free to submit comments (either agreeing or disagreeing with me, but please keep it civil). Hopefully I’ll be able to keep comments open on this post without it degenerating into a free-for-all.

Date: Fri, 23 Dec 2011 00:36:45 -0400 (EDT)
From: Terry Kennedy <>
Subject: A hopefully more-reasoned SOPA comment from your customer
MIME-version: 1.0

  I read your “Position on SOPA” blog, but since comments are closed there (for obvious reasons), I felt I needed to contact you to tell you my feelings on the subject.

  I’m retired these days, but I’ve been in the computer business since the mid-1970’s. I’ve been an owner or principal of hardware companies, software companies, and ISP’s in the last 40 or so years. There’s no reason for me to mention the names of any of them – some you’ve never heard of, some are quite well known.

  I (and my companies) have suffered economic losses from software piracy (though in those days, we called it “stealing”). So I support REASONABLE anti-piracy measures. However, as currently proposed I feel that SOPA is not a reasonable measure.

  It would force service providers and registrars to act as enforcement agents without requiring the complainant to provide a reasonable justification for the enforcement action. It is essentially a conviction without a trial or defense. Even the much-maligned DMCA provides for the accused to assert a counter claim. Under SOPA, the accused may not even know that they are the subject of an action, until they hear from their customers that their site is inaccessible.

  Under existing legislation, we already have already seen a number of instances where the DMCA was maliciously or inadvertently used to remove or render inaccessible content. In fact, GoDaddy was involved in a recent high-profile instance with

  There was also a recent instance where UMG asserted rights to a song, and claim to have a “private arrangement” “outside the DMCA” with YouTube which lets them remove items, thereby stripping away the protections afforded by the DMCA. I am referring to the Megaupload Mega Song, as documented here:

  Further, SOPA appears to be just another escalation in a technological “whack-a-mole” arms race. As John Gilmore famously said, “The Net interprets censorship as damage and routes around it.” In my opinion, this technological warfare accomplishes nothing to prevent illegal acts, especially not ones performed by “commercial” counterfeiting groups and similar organized operations. It just makes life more difficult for the paying customers. Perhaps you’ve seen the “If you are a pirate, this is what you get” image:

  I would be much happier if you reserved your support for SOPA until it exists in a more balanced and practical form. In your own blog post, you use phrases like “changes we believe are necessary” and “room for some improvement”. As you repeatedly emphasize in your blog, you have over 50 million domains and a full-time presence in Washington. That gives you a very strong position to advocate changes to SOPA which would be more effective while still preserving the rights of the accused.

  I encourage you to reconsider your support of SOPA in its current form, and to work toward modifying it so that it will be both more effective in combating real infringing activities while also greatly reducing the chance that it will be abused.

         Sincerely (your customer),
         Terry Kennedy      New York, NY USA

Quantum SuperLoader 3 / L700 / PowerVault 124T Power Supply Replacement

The Quantum SuperLoader 3 is a popular tape backup product for small- to medium-size businesses. It combines 16 tape slots, a tape drive (of varying types and capacity) and an operator panel in a compact, 2RU (3.5″ high) format. I often refer to it as “a triumph of engineering over common sense”, as it uses a Rube Goldberg-esque mechanism (including a wheel that rotates as well as moving up and down, along with 2 independent “conveyor belt” mechanisms), but the large number of these units sold over the years proves it was a successful design. It was also re-branded by a number of companies, for example as the Dell PowerVault 124T, Sun StorageTek C2, HP StorageWorks SSL1016, IBM 1×16 Tape Autoloader, and probably by a number of additional companies.

Unfortunately, many of these devices have been installed for quite some time and are now out of warranty. Parts are beginning to fail more frequently than they would when the units were new. One common failure seems to be a completely dead unit – no lights or fan rotation, and no response to the host on either the SCSI or Ethernet port. This is usually due to a failure of the power supply, not anything more serious. Unfortunately, the Quantum Best Practices for Troubleshooting Superloader3 (PDF) says “Is the unit totally dead, no lights, power or sound? If yes – Replace the loader.” That’s a bit expensive if the unit is out of warranty. Even the IBM version doesn’t show the power supply as a field-replaceable unit.

My first step in diagnosing this dead unit was to open it by removing the cover, which involves removing all of the flat-head Torx screws on the left, right, back, and top as well as an additional 4 round-head Torx screws on the top. Next, I manually ejected the left and right tape magazines (since the unit was dead, there was no other way to eject them). The ejection procedure involves sliding a thin piece of plastic (an old credit card will do, but don’t use one you need as you’ll probably damage the magnetic stripe on it while wiggling it around) vertically between the front panel and the magazine. There’s a small white lever on each side which acts as a catch:

Eject lever - top view

Eject lever - side view

Additional information is available in the Quantum Lodged Tape Removal Instructions (PDF) document. If you cannot eject one of the magazines, it is possible that the magazine drive gear is engaged – refer to the above document for details. In addition to the possibilities listed in that document, it is possible for the loader to have had the power supply fail while in the process of moving a tape from the picker wheel to the magazine – in that case, the magazine can’t be ejected until you remove the loader cover and move the tape fully into the picker (or magazine) by hand.

With the magazines removed, there was more room to work inside the unit. Next, I removed the protective cover between the tape drive and the power supply, unplugged the power supply cables to the rear interface board and the tape drive, and lifted the power supply out of the way. This left the power supply connected to the front panel / loader mechanism. There’s a very tight fit between the loader mechanism and the tape drive and one or the other needs to be removed in order to access this cable. I decided to remove the tape drive (the loader mechanism is connected to the rear interface board by a pair of fragile ribbon cables, so removing the tape drive is easier and safer). There are 4 screws holding the tape drive carrier to the chassis, 2 on the back and 2 on the front between the tape drive and the loader mechanism. The front 2 are somewhat difficult to reach. I suggest using an extension and a magnetic Torx bit for this step. Be aware that at this point the tape drive is still connected to the rear interface board via a SCSI cable and the small library interface cable. You can either unplug these and reconnect them later, or just hold the tape drive to the side while dealing with the power cable on the loader mechanism.

Once I was able to disconnect the old power supply from the loader mechanism, I set the old power supply aside and installed a 4-pin Molex power extension cable on the loader mechanism and reinstalled the tape drive, routing the power cable along the same path as the old one:

Power extension cable

One thing to note in the above picture is the second, unused set of slots in the base pan of the chassis. It appears that some of the possible tape drives that can be fitted are wider than the SDLT600 drive in this unit. If there is no corresponding decrease in the width of the magazine, there may not be enough clearance for the connectors on the type of power extension cable I used. In this case, it would be necessary to use a longer extension cable in order to locate the connectors further toward the back, in the space between the power supply and the tape drive. I used the particular extension cable shown in these photographs because it was the longest one I had on hand, and I didn’t want to make a new, longer one from scratch. Feedback on this issue from users performing the procedure with other drives (particularly LTO models) would be appreciated (use the comment feature).

If you disconnected the SCSI or library interface cables from the tape drive, re-connect them now. Be sure to verify that the cables are located correctly and fully inserted. [I didn’t forget this when working on this loader, but it is a mistake I have made in the past.] If you don’t get both of the cables installed properly, you’ll have to disassemble the whole thing again later to fix it.

Next, I temporarily connected a generic ATX power supply to the rear interface board, tape drive, and the power extension cable for the loader mechanism, in order to confirm that this was a power supply problem:

Test with generic power supply

When I connected the AC power cord to the temporary power supply, the loader immediately commenced its power-up sequence to the point where it complained that no magazines were installed. After installing both magazines, the drive completed its power-up inventory and the loader proceeded to the “System Ready” state, as indicated on the front panel. This confirmed that the only issue was the power supply, and the loader simply needed a replacement of the correct type.

Unfortunately the power supply used in the unit, an Enhance ENP-2316BR, is not available at anything approaching a reasonable price. [As I am writing this, the least expensive one on eBay is $299.95 and the most expensive one there is $795.00. A web search turned up one for $896.00!]

At those prices, it would be less expensive to purchase a whole SuperLoader on eBay (ones with the less-desirable tape formats such as DLT VS160 are currently listed for $299.00 and up) and swap the power supply.

However, I decided to investigate further and discovered that the SuperLoader 3’s power supply is almost a standard FlexATX format unit. The differences are that it has a provision for an external on/off switch and a different quantity and length of power connectors. I initially considered the Enhance ENP-2322B-G as it was made by the same company and shared many characteristics with the original unit. Unfortunately, this series was discontinued by Enhance in June 2011, and any searches for it turn up “replacement” units, not all of which would be physically compatible with the original (mostly relocating the fan and/or changing the location of the mounting screws). I settled on the Sparkle Power FSP200-50PLB (which is not shown on their web site, and the 250 Watt version is labeled “Discontinued soon”), as it had the same fan location, etc. as the original unit. The only issue is that the replacement power supplies do not have cabling for the rear panel on/off switch. However, the loader has an on/off button on the front panel and the rear switch is equivalent to unplugging the power cord. Rather than opening up the replacement power supply, voiding the warranty, and installing switch wires, I decided to leave the rear power switch disconnected and non-functional. This power supply cost $44.99, including shipping – quite a substantial savings from the “best” price of $299.95 for the original supply.

Here are some comparison photos of the old (left or top) and new (right or bottom) power supplies:

Power supplies - top view

Power supplies - end view

Power supplies and cables

As you can see in the last picture, the new supply has more cables and most are longer (though one is shorter) than on the old supply. That’s why I installed the extension cable on the loader mechanism – I knew the cable on the new power supply wouldn’t reach all the way.

I proceeded to request an eject of the right side magazine via the front panel and then powered down the loader via the front panel pushbutton. The front panel will not respond to any commands other than the power button when either magazine is removed. This makes it impossible to remove the second magazine as the loader insists on having the first magazine re-inserted. After powering down, I performed the manual eject procedure on the left side magazine.

Next, I installed the new power supply, connected all of the cables and neatly tied the excess into a bundle between the power supply and the tape drive. There are several things to note about this step. First is that the bundle of cables should be as low as possible, in order to not obstruct the air vents on the upper rear of the the tape drive. Next is the routing of the power cable to the extension cord installed previously. Use one of the far end connectors from the power supply, not one in the middle of the cable. Ensure that the cable is securely held in the provided tabs – if it comes loose it will interfere with the cycling of tapes in the right-hand magazine. Last is the use of cable ties. Do not use rubber bands or anything besides cable ties. Things are packed quite tightly inside the unit and if a rubber band or similar breaks and starts floating around inside there it could cause serious damage. Once everything was properly placed and tied down, I reinstalled the protective cover / air shroud over the power supply:

New power supply with cables tied

Cover reinstalled

Extension cord connected

At this point I reinstalled the magazines (checking for clearance where the extension cord connects to the power supply cord) and verified proper clearance of the power supply in the rear panel:

Everything installed - rear view

Note that the new power supply has a 115/230 Volt selection switch, while the original did not (it auto-detected the voltage). If the power supply you use has a selection switch, make sure it is set to the proper position for the power you have (in the US, normally the 115V setting, though some datacenters use 230V for efficiency purposes).

Lastly, I powered up the unit and verified that it completed its inventory and proceeded to the “System Ready” state. Once that was completed, I powered the unit down via the front panel and reinstalled the cover. After powering back up, the loader is ready and should hopefully provide many additional years of serivice:

All done - System Ready

Here are a few additional notes that may be useful if you perform this procedure:

Most FlexATX power supplies of 200 Watts or higher should be electrically compatible with the loader’s requirements. It is important to confirm physical compatibility as well. The main issues will be the location of the power connector and fan opening – some supplies exchange their positions which would lead to a partially-obstructed cooling fan; having a 20-pin ATX connector (some supplies have only the 20-pin, some have a 20-pin and a separate 4-pin, and some have a 24-pin – the first two will work, the last won’t); having a hole for a mounting screw above the power connector location; and having the proper bracket on the cable side of the power supply (if a supply doesn’t have that bracket, you may be able to re-use the one from the original supply, but confirm that there are at least mounting holes for the bracket on the new power supply).

If you get the urge to clean the dust out of the loader while you have it open, be very careful, particularly if you are using a compressed-gas duster. NEVER use compressed gas to spin a fan’s blades – if you must clean a fan, hold the blade so it does not rotate while you use the compressed gas. Also, NEVER used compressed gas on warm electronics. This is particularly important with DLT drives – if you do this on a DLT8000-family drive (for example), you WILL destroy at least one of the tape spool motors from thermal shock. Let the unit cool down, overnight if possible, before dusting.