Archive for the 'Computers' Category

Studio 1558 BIOS with all features unlocked – improved thermal settings and more

One of the frequent issues people reported with the Studio 1558 when it was released was overheating. Some configurations were on the edge of reliability, particularly with the thermal pads Dell used, which weren’t ideal for the higher-power CPUs. Dell made some changes in BIOS A04/A05 to improve thermal management somewhat, but those settings are not user-configurable in the stock BIOS. Combined with the direction of airflow and the difficulty in reaching the fan for cleaning, that meant that airflow could be restricted by the surface the computer was used on and large balls of dust could also build up between the fan and the radiator fins.

People came up with all sorts of solutions involving polishing the heatsink, using expensive heat sink paste and even copper shimming. One of the things people reported was that the fan would never run at full speed, even when the system was close to overheating. The only time it ran at full speed was while flashing the BIOS! I have also found that using the computer with the optional 9-cell battery helps, as the 9-cell version elevates the rear of the computer by around 1″, allowing unrestricted airflow into the bottom vent. With the standard battery, there is only 1/8″ or so between the bottom of the notebook and the surface it is sitting on. Of course, regardless of which battery is installed, it is important to not use this computer on a soft surface or anything else that might obstruct airflow.

Way back in 2011 a user named “kizwan” on the Notebook Review forum posted a modified A11 BIOS for the 1558 and subsequently updated it to the A12 BIOS per my request. It enables all of the submenus present in the Phoenix BIOS. Not all of those features apply to the Studio 1558 and as these menus were never enabled in the released BIOS, there are typos. For example, the “CPU Control Sub-menu / LPC Control Sub-menu” is completely empty and “Clarksfield” is mis-spelled “Clsrksfield” in at least one place. Also, some of the explanatory text for some menu items wraps around to the left side of the screen. None of these cosmetic issues in BIOS setup affect regular operation of the computer as they only appear in BIOS setup.

It is possible that changing some of the now-visible additional settings could put the 1558 into a non-bootable state. In that case, just disconnect the AC power adapter and the battery, then open the user access cover on the bottom of the 1558 and remove the CR2035 coin cell. Push the power button on the side of the computer to discharge any remaining “flea power” and clear the CMOS settings, then reinstall the coin cell, replace the user access cover and reconnect the battery and AC adapter. On power-up, the BIOS should report that the CMOS settings are invalid and let you enter BIOS Setup by pressing F2.

There is one known interaction which may or may not present a problem – if you enable “VT-d Technology” in the “CPU Control Sub-Menu”, the computer cannot boot from removable USB media. This is not limited to the Studio 1558 BIOS – a number of other systems from the same timeframe have reported similar problems.

Here is the menu with the various fan temperature thresholds. In this picture I have changed the defaults to turn the fan on earlier and faster:

Click on the image for full-screen view

I have been running this BIOS for nearly 10 years and have not had an overheating problem, including in Death Valley when it was 126° F and several weeks per year every year since 2015 in the Mojave Desert where the temperature was always over 100° F. I do disassemble the computer annually to clean out the dust from the fan as well as blowing the desert sand out of the keyboard.

In case the MediaFire page vanishes, I have saved a copy of the file here. You can verify that the MD5 checksum matches the one in the original Notebook Review post.

The Dell Studio 1558 – Still a nice laptop in 2021

I’ve had a number of Dell Studio 1558 laptops for well over 10 years now. Occasionally people ask me “Why do you still have that old thing? You need a newer/faster/better system!” Actually, I don’t and I’m going to explain why.

The Studio 1558 (as I have configured or built them) has lots of still-relevant features, like:

  • Quad-core i7-740QM CPU with Hyperthreading
  • Discrete AMD HD5470 graphics
  • 16GB of user-expandable memory instead of being soldered in
  • Backlit keyboard with sculpted keys and 3 backlight intensity levels
  • Full-HD (1920 x 1080) screen w/ matte (anti-glare) finish
  • 1TB Samsung 860 EVO SSD
  • 6x Blu-ray recorder
  • Integrated 802.11a/b/g/n/ac/ax WiFi using Alfa AWPCIE-AX200U (based on Intel AX200) card
  • Integrated Bluetooth 5.1 (included with AWPCIE-AX200U)
  • Integrated 4G LTE universal mobile broadband using Dell DW5808 card
  • Integrated GPS (included with mobile broadband)
  • Built-in SDHC card reader
  • Built-in hardwired Gigabit Ethernet
  • 9-cell battery for extended runtime
  • Readily available schematics, service information and parts
  • Very attractive (IMHO) styling

However, being an 11 year old design, it does have some limitations. In approximate order from most annoying (to me) to least annoying:

  • Limited to 8GB RAM (not really – see my other blog post here)
  • Somewhat lower CPU/memory performance (see below)
  • Lower-end graphics performance for a modern laptop (see below)
  • SATA 2 interface for disk drive and optical drive
  • USB is 2.0, not a newer specification
  • “Gigabit” Ethernet tops out at around 600Mbit/sec
  • The last officially-supported operating system was Windows 7 (but it can run Windows 10 – see my other blog post here)

I don’t use this laptop for gaming, so the graphics performance isn’t a problem. I do some very light Photoshop editing when I’m on the road and posting pictures. The SATA 2 interface isn’t really limiting since I have a Samsung 860 EVO SSD with Samsung Magician software which boosts the speed quite a bit. The only time I miss having USB 3 is when backing up pictures / videos I took while traveling to an external USB hard drive for safekeeping, and that can happen overnight while I’m sleeping.

I’m going to compare the Studio 1558 with the closest-to-equivalent current systems from Dell.

First, let’s consider a Precision 7550 high-end workstation-class system configured as closely as possible to the specs of my Studio 1558 (PDF of Precision configuration here). That currently prices out at $3497.56 list price, $2439.33 sale price. While it has a faster CPU, memory and graphics, it has a keyboard with those annoying flat tops instead of sculpted ones like the ones on the Studio 1558. And it has no provision at all for an internal optical drive.

Next, let’s try a low-end system. Dell’s low-end systems are not customizable beyond selecting a stock hardware configuration with whatever software you want pre-installed. I selected the Inspiron 15 7000 as the model that came closest to the 1558 (PDF of Inspiron configuration here). After selecting 16GB RAM, 1TB SSD and a backlit keyboard, only one configuration remains, with a list price of $1659.99 and a sale price of $1409.99. Again, this has a faster CPU, memory and graphics but also the annoying flat-top keys and no internal optical drive. In addition, it lacks hardwired Ethernet (WiFi only), doesn’t support any mobile broadband options, offers no extended-runtime battery and probably has other drawbacks. It does have a higher-resolution screen than either the Studio 1558 or the Precision 7550 configuration shown above.

I’m picking Dell systems to compare with because they’re the ones I’m most familiar with, service manuals, parts and schematics are readily available, Dell doesn’t make you jump through hoops to prove you’re entitled to download drivers and BIOS updates, and doesn’t do silly things like having the BIOS only recognize officially “blessed” vendor-branded WiFi or other add-in cards. If you know of current non-Dell systems that are close to the Studio 1558’s configuration and reasonably priced, I’d like to hear about them in the comment section.

As far as performance of the Studio 1558, it is quite reasonable. Microsoft still includes the “winsat” benchmarking tool, though it no longer displays the scores on the Control Panel / System page. But if you know where to look:
%windir%\Performance\WinSAT\DataStore\* Formal.Assessment (Initial).WinSAT.xml
you can find the scores. Windows 10 rates the system on a scale of 1.0 through 9.9 instead of the 1.0 through 7.9 scale of Windows 7. Here are the results for one of my Studio 1558 systems running Windows 10:

Overall System Score: 5.1 (lowest of the following scores)
Memory Score: 8.5
CPU Score: 8.5
Graphics Score: 5.1
Disk Score: 7.75

For comparison, the scores on Windows 7 were:

Overall System Score: 5.7 (lowest of the following scores)
Memory Score: 7.7
CPU Score: 7.5
Graphics Score: 5.7
Gaming Score: 6.3 (no longer rated in Windows 10)
Disk Score: 5.9

That shows that a high-end configuration of a Studio 1558 makes a fine Windows 10 machine if you aren’t making extensive use of graphics. Just for comparison, this is the Windows 10 winsat result from a high-end (Precision 3630 with Xeon E-2286G CPU, 32GB 4-way interleaved RAM, Radeon Pro WX7100 graphics and a 1TB Class 60 NVME drive) workstation costing over $5000:

Overall System Score: 8.7 (lowest of the following scores)
Memory Score: 9.3
CPU Score: 9.3
Graphics Score: 8.7
Disk Score: 8.9

I’m happy with that.

Please note that the above benchmarks and my “seat of the pants” performance opinion is based on a system with an i740-QM CPU (this was the top-end CPU offered by Dell in the 1558), 8GB or 16GB of RAM, and a fast 1TB SSD running Windows 10 x64 LTSC. As part of the research for this article, I used a 1558 with an i5-520M CPU, 4GB of RAM and a 320GB mechanical hard drive, running Windows 10 Pro 20H2. Saying the overall experience was quite unpleasant would be a bit of an understatement. Simply restarting Windows had the disk saturated at 100% for well over 10 minutes as shown by the Task Manager / Performance window. A SSD would certainly have helped, but the 4GB RAM certainly caused a lot of paging activity. Given the cost of the upgrades today, it seems silly to not upgrade a Studio 1558 to a top-spec system.

With the computer running Windows 10 LTSC and Office 2019 Professional Plus, I felt it was only fitting to update the palmrest badges to reflect this. This is the original “Energy Star” sticker from 2010, but the CORE i7 badge has been updated to the latest style, the Windows 7 badge was replaced with a Windows 10 one, and an “Office 2019 Professional Plus” sticker was added to complete the display. The “Portable4” and “Backup PC” labels indicate the hostname on my network and that this is one of 3 identical Studio 1558 computers, one labeled “Real PC” that goes on the road with me when I travel, and 2 labeled “Backup PC” in case something happens to the real PC.

Click on the image for full-screen view

16GB RAM on a Studio 1558 is possible!

As part of an upgrade of my Dell Studio 1558 computers to Windows 10 (you can find all of my Studio 1558-related posts here), I decided to investigate the possibility of actually installing 16GB of RAM in each one. This is theoretically impossible according to Dell. So I checked the Intel Ark page for the Core™ i7-740QM CPU and it also says “Max Memory Size (dependent on memory type) 8 GB”. Pretty definitive, right?

Getting into the technical nitty-gritty, “Intel® Core™ i7-900 Mobile Processor Extreme Edition Series, Intel Core i7-800 and i7-700 Mobile Processor Series Datasheet – Volume One” (document number 320765-001, September 2009) is quite clear on pages 20-23 that the largest DIMM configuration supported is two 4GB modules. The “Intel® Core™ i7-900 Mobile Processor Extreme Edition Series, Intel® Core™ i7-800 and i7-700 Mobile Processor Series – Specification Update” (document number 320767-028US, February 2015) doesn’t say anything about support for increased memory sizes.

Not that that has ever stopped me before… I checked the Crucial web site (not that I’m a big fan of Micron/Crucial, but they are a memory chip manufacturer as well as selling memory modules) and they also list 8GB maximum memory, using 2 CT51264BF160B 4GB modules. This is a DDR3L-1600 part with 11-11-11 timing at that speed. That is a faster part than the Studio 1558 needs, since the fastest memory any of the CPUs in the 1558 need is DDR3-1333 with 9-9-9 timing. Fortunately, most things are perfectly happy with faster memory, even if they won’t make use of it. Cisco excepted, of course.

It turns out that Crucial makes that exact same spec of memory in an 8GB module, the CT102464BF160B. At only $37.95 each from Amazon, it seemed like a fun project to order two of these modules and see what would happen. And this was the result:

Click on the image for full-screen view

So far, so good. But what would the longer-term reliability be like when the system was heavily loaded? I decided to run Memtest86+ 4.20 (available here) to see:

Click on the image for full-screen view

At that point it had run solidly for 3 passes / 11 hours in Memtest86+. So I think it is safe to assume that this will work for the long term. This image also shows that the full 16GB is cacheable – sometimes when experimenting with oversized memory configurations only part of the memory is cacheable, leading to inexplicable random-seeming performance drops. Not shown in this picture, but displayed on another Memtest86+ screen, is that the memory is operating in fully interleaved mode, which Intel refers to in the datasheet as “Dual-Channel Symmetric Mode” which provides maximum performance. This is the same mode that 2 * 4GB memory operates as. so there is no performance loss with the larger memory.

Of course, Dell and Intel both saying that it is unsupported means that you’re doing this at your own risk. It is not like any of these notebooks or CPUs are still in production (or even under warranty) at this point, 10+ years later. IMPORTANT: I have only tested this with the 4DKNR motherboard (discrete ATI HD 5470 graphics) and an i7-740QM (S-spec SLBQG) processor with BIOS version A12. It may not work with other motherboards, CPUs or BIOS versions.

I have a number of theories as to why this was listed as unsupported:

  • At the time, 8GB memory modules were very rare in the SODIMM form factor. The memory controller (integrated on the CPU die in the i7-740QM processor) only supports 2 memory sockets.
  • Large-memory configurations were not that popular in Dell notebooks (at least in the Studio 1558 class) at the time. I’m told that the vast majority of Studio 1558s sold by Dell shipped with either 4GB (2GB * 2) or 6GB (4GB + 2GB) of installed memory.
  • Dell sold the Studio 1558 with a wide variety of CPUs with either integrated graphics or discrete graphics. It is possible that some of the CPUs or motherboards were actually limited to 8GB and it was just easier to say that they all had an 8GB limit. That doesn’t explain the Intel Ark pages also being incorrect, though.

I did try a pair of 16GB modules (the CT204864BF160B) and they did not work – neither a pair of modules for a total of 32GB nor a single 16GB module in either the DIMM A or DIMM B socket were recognized – all resulted in the 4 beeps indicating “Memory read / write failure”. It is interesting that the error was not the 2 beeps of “No Memory (RAM) detected”, so the system definitely determined that there was memory installed, it just didn’t know how to deal with it. Given that a) We’re talking about trying to fit 32GB in a 10-year-old laptop, b) Most new laptops ship with 16GB or less, and even Dell’s current Alienware gaming laptops have more 16GB models than 32GB models, and c) The cost of a pair of Crucial CT204864BF160B modules, which works out to around US $300 at present, makes it economically impractical to do, since for $300 you can get a very nice whole used Studio 1558 with discrete graphics, 1920 x 1080 screen, etc. I think any further pursuit of this and related stunts like trying a Core i7-940XM is the computing equivalent of “They’ve gone to plaid!” (click the link if you don’t get the Hyperdrive joke from the movie “Spaceballs”).

Reversing airflow on Cisco 3945 routers

The Cisco 3945 router ships with the default airflow “backwards” (back-to-front) compared with all other standard Cisco routers and switches. While back-to-front is available on a number of Cisco producta, as either a factory option (for example, the Catalyst 4948E-F) or as a field conversion (for example, the Catalyst 4500-X-16SFP), the 3945 is the only Cisco device I’ve encountered which defaults to a back-to-front airflow. There is an optional fan assembly (3900-FANASSY-NEBS) which has front-to-back airflow, but it is hard to find and represents a large additonal expense, since your 3945 presumably has a fan tray already that is working perfectly (but backwards).

This article shows how to convert a fan tray from the standard 3900-FANASSY to 3900-FANASSY-NEBS with the only new part required being an inexpensive (pennies) jumper and your time to do the conversion. NOTE: While it is possible to do this (with practice) by removing the fan assembly from a running 3945 and converting / reinstalling it before the 3945 shuts down from overheating, I suggest that you power down the 3945 first to avoid the problem. If you are converting multiple units, you can shuffle converted and un-converted fan assemblies with no downtime.

You will need the following tools and supplies:

  • Small needlenose pliers
  • Small diagonal cutters
  • Phillips screwdriver
  • Several small cable ties
  • Fan mode jumper (more on this below)

The “fan mode jumper” is just a short (1″ or so) length of wire with the correct pins on each end. The pins are Molex part number 39-00-0039, 18 cents each. The tool to crimp them is Molex part number 64016-0200, which is quite expensive at $137.21. However, you can get creative and use the small needlenose pliers to manually crimp the pin onto the cable. If you do this, I suggest also soldering the pin to the cable (after crimping) to ensure a good mechanical and electrical connection.

This is the jumper wire and the small cable ties (each picture is clickable to show a higher-resolution version):

Following the Cisco instructions, remove the bezel and the fan assembly from the router. Place the fan assembly face-down on your work table and remove the 8 Phillips screws holding the two halves of the fan tray together, as indicated by the circled red areas in this picture. Your fan tray may or may not have screws in the circled yellow areas; you do not need to remove those. This is a new spare fan tray – your fan tray will likely be a lot dustier:

Carefully separate the two halves of the fan tray. One piece is only sheet metal – set that one aside for later. The other piece has the fans, wiring, and connector. That is the piece we will be working with. There is also a small clear plastic light pipe, as shown in this picture. Carefully remove it and set it aside for later:

Each fan is held in place with 4 blue silicone rubber stakes. Here is a view of one of the fans:

Starting with the rightmost fan (numbered 4 in the stampings on the tray), using the needlenose pliers, gently squeeze the expanding “V” part of the stake and carefully lift that corner of the fan up. Repeat with the 3 remaining corners of the fan and lift the fan out:

You may need to use the small diagonal cutters to cut a cable tie holding the fan wires in place if you don’t have enough slack to perform the next step. Flip the fan over so what was the top of the fan is now on the bottom (one side will have a part number sticker while the other side will be blank). Re-install the fan on the 4 blue silicone rubber stakes, and while gently pulling on the free “tail” of the stake, push the fan down against the metal of the fan tray until the expanding “V” part pulls through the fan. Repeat for each of the 4 remaining fans.

When you have the next-to-rightmost fan out, you will see the back of the connector that connects the fan tray to the router:

The red arrows in the previous picture show where the jumper needs to be installed. Bend the jumper into a “U” shape and carefully insert it into the connector until it clicks. You should end up with it looking like this:

Once you have all 5 fans flipped over, examine the underside of the fan tray to make sure there are no wires sticking out and that the fans are all fully seated on the blue silicone rubber stakes. An un-seated stake will generally appear slightly “popped out” when you look at the underside of the fan tray.

Use the small cables ties to replace any ties you had to cut to get enough slack to flip the fans over. Next, re-install the light pipe. The small U-shaped bend lines up with a matching protrusion on the sheet metal, shown with an arrow in this picture:

Carefully re-install the other sheet metal half of the fan tray that you set aside at the beginning. You may have to wiggle the light pipe a bit to get it to line up with the holes in the fan tray. Make sure that the two halves of the fan tray are fully seated on each other with no protruding pieces (there are interlocking metal tabs on the two halves). Also make sure that no wires are sticking out or being pinched. If all looks good, re-install the 8 Phillips screws. Give the fan tray another look-over to make sure everything is in place, then re-install it in the router and power up the router. Once the router has booted, use the “show environment all” command to verify that all 5 fans are operating correctly and that the router has detected the new jumper and is operating in front-to-back mode:

 Fan Tray: Installed with Reverse Air Flow. Air Filter Supported.
 Fan 1 OK, Low speed setting
 Fan 2 OK, Low speed setting
 Fan 3 OK, Low speed setting
 Fan 4 OK, Low speed setting
 Fan 5 OK, Low speed setting

Technical minutiae: The only thing the jumper does is tell the router that a front-to-back airflow fan tray is installed. If you don’t install that jumper, the router will still operate with front-to-back airflow but the environmental readings will indicate that the unit is an “air conditioner” (exhaust air is cooler than intake air):

 Fan 1 OK, Low speed setting
 Fan 2 OK, Low speed setting
 Fan 3 OK, Low speed setting
 Fan 4 OK, Low speed setting
 Fan 5 OK, Low speed setting

 Intake Left temperature: 18 Celsius, Normal
 Intake Right temperature: 17 Celsius, Normal
 Exhaust Right temperature: 16 Celsius, Normal
 Exhaust Left temperature: 17 Celsius, Normal
 CPU temperature: 49 Celsius, Normal
 Power Supply Unit 1 temperature: 21 Celsius, Normal
 Power Supply Unit 2 temperature: 22 Celsius, Normal

As you can see, exhaust air is being reported as 1 degree cooler than entering air. This is because the router doesn’t know the airflow is reversed, so the sensors behind the fan tray are being treated as exhaust and the sensors by the rear I/O panel are being treated as intake. Installing the jumper lets the router know airflow is reversed and that it should report the rear I/O panel sensors as exhaust and the sensors behind the fan tray as intake:

 Fan Tray: Installed with Reverse Air Flow. Air Filter Supported.
 Fan 1 OK, Low speed setting
 Fan 2 OK, Low speed setting
 Fan 3 OK, Low speed setting
 Fan 4 OK, Low speed setting
 Fan 5 OK, Low speed setting

 Left Intake temperature: 20 Celsius,  Normal
 Right Intake temperature: 18 Celsius,  Normal
 Right Exhaust temperature: 20 Celsius,  Normal
 Left Exhaust temperature: 21 Celsius,  Normal
 CPU temperature: 61 Celsius, Normal
 Power Supply Unit 1 temperature: 23 Celsius, Normal
 Power Supply Unit 2 temperature: 25 Celsius, Normal

Note: the two “show environment all” reports above were performed at different times, thus the differing temperature readings. There is no difference in cooling efficiency when reversing the airflow direction.

FreeBSD – Restoring inappropriately removed lang/php56 port

FreeBSD removed the lang/php56 port from the ports repository (in commits r488887) through r488894, approximately). This is due to a misunderstood “2019-01-01 lang/php56: Security Support ends on 31 Dec 2018”.

However, says (emphasis added by me):

PHP 5.6.40 Released – 10 Jan 2019

The PHP development team announces the immediate availability of PHP 5.6.40. This is a security release. Several security bugs have been fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

For source downloads of PHP 5.6.40 please visit our downloads page, Windows source and binaries can be found on The list of changes is recorded in the ChangeLog.

Please note that according to the PHP version support timelines, PHP 5.6.40 is the last scheduled release of PHP 5.6 branch. There may be additional release if we discover important security issues that warrant it, otherwise this release will be the final one in the PHP 5.6 branch. If your PHP installation is based on PHP 5.6, it may be a good time to start making the plans for the upgrade to PHP 7.1, PHP 7.2 or PHP 7.3.

FreeBSD removed the php56 port and dependencies as of 5.6.39. Users may be depending on either PHP 5.6 semantics, or on a port that was removed (such as devel/pecl-intl) as “collateral damage”.

I needed to restore these kits for those reasons. While I will be migrating to a PHP 7.x release with the next major rebuild of the systems in the coming month, I needed to deploy the 5.6 security fixes before then. I created a kit that restored many (but not all) of the removed ports, which you can download here. Security conscious users should NOT blindly install kits from untrusted sources like me, but instead create their own kits by looking at the official FreeBSD ports tree here. However, if you just need a quick fix and trust me, feel free to use my kit:

cd /usr/ports
tar -xpvf ~/php56-restore.tgz
mv MOVED /usr/ports/
mv /usr/ports/Mk/Uses/
portupgrade -an (to see what ports will be updated)
portupgrade -ai (interactively approve/deny updating individual ports)

Note that my kit does modify 2 “global” ports files – MOVED and You may wish to restore the official versions after updating your php56 ports to avoid possible issues with other ports (though restoring MOVED will also restore the warnings about php56 ports being EoL and removed, and will try to update your php56-extensions if you let it).

Net Neutrality isn’t the only problem

Today (July 12th, 2017) a large number of sites have joined together to raise awareness of the threats to network neutrality. For example, reddit has a pop-over window that slowly types a message beginning with “The internet’s less fun when your favorite sites load slowly, isn’t it?” This is certainly a valid concern, and many people, including myself, have legitimate concerns about how the Internet is regulated. But there are enough sites raising that point, so I’d like to talk about something different – how sites are “shooting themselves in the foot” with slow-loading (and often buggy) page content.

It all starts when a web site decides they want to track visitors for demographics or other purposes. There are a large number of “free”* tools available that will collect the data and let you analyze it in any way you like. Sure, it comes with some hidden Javascript that does things you can’t see, but hey – it is only one thing on a page of otherwise-useful content, right?

Next, the site decides they’d like to help cover the cost of running the site by having a few advertisements. So they add code provided by the advertising platform(s) they’ve selected. So their page now loads a bit slower, and users see ads, but the users will still come for the content, right? And the occasional malware that slips through the advertising platform and gets shown on their site isn’t really their fault, right? They can always blame the advertising platform.

Somewhat later, the site gets an “offer they can’t refuse” to run some “sponsored content”. The page gets even slower and users are having a hard time distinguishing actual content from ads. Clicking on what looks like actual content causes an ad to start playing, or triggers a pop-under, or any one of a number of things that make for an unpleasant user experience.

Once everyone is used to this, things appear to settle down. Complaints from users are infrequent (probably because they can no longer figure out how to contact the site to report problems). Everyone has forgotten how fast the site used to load, except for the users running ad blockers, cookie blockers, script blockers, and so on.

But one day a SSL certificate becomes invalid for some reason (expired, a site was renamed, etc.) and the users are now getting a new annoyance like a pop-up saying that the certificate for is invalid. Most users go “huh?” because they weren’t visiting (or at least they thought they weren’t visiting) Clicking the “close” button lasts for all of a second before the pop-up is back, because that ad site is determined to show you that ad. In frustration, the user closes their browser and goes out to buy a newspaper.

By this point, perhaps 5% of the actual page content is from the site the user was intending to visit. The rest is user tracking, advertising, and perhaps a bit of malware. There is a free tool run by which will let you analyze any web site to see what it is loading and why it is slow.

Here is the result for the CNN home page:

Now, that’s too small to be able to read, so this is the first part of it (click on this image for a larger view):

The blue line at 21 seconds shows when the page finished loading, although you can see that Javascript from a number of advertising providers continues to run indefinitely.

Now, let’s take a look at Weather Underground. Surely just serving weather information would have far less bloat than CNN, right? Not really:

Now, that’s too small to be able to read, so this is the first part of it (click on this image for a larger view):

It does manage to load in less time than CNN, but it is still pretty awful.

In the spirit of full disclosure, here is the result for this blog page:

Since the entire report fits, I didn’t need to add an unreadably-small overview image.

If you manage a web site, I encourage you to try yourself and see why your site is slow. If you’re just a user, you can also use to see why the sites you visit are slow. If you’re using add blocking or site blacklisting software while you browse, the list of hosts that are serving advertisements or other unwanted content will probably be useful to you when added to your block / blacklist.

* As they say, “If you aren’t paying for it, then you are the product being sold”.

Is no crypto always better than bad crypto?

SSL (Secure Sockets Layer, the code that forms the basis of the https:// in a URL) can use any number of different encryption methods (protocols) and key strengths. While all of the protocols / strengths were presumed to be secure at the time they were designed, faster computers have made “cracking” some of the older protocols practical, or at least potentially practical. Additionally, concerns have been raised that some of the underlying math may have been intentionally weakened by the proponents (for example, NIST and the NSA) of those protocols. Perhaps an underlying flaw in the protocol has been discovered. Due to this, web browsers have been removing support for these older, insecure protocols.

Additionally, even if a protocol is still considered secure, a browser may start enforcing additional requirements for the SSL certificate used with that protocol. “Under the covers” this is a rather different situation, but for the purpose of this discussion I will lump them together, since the average user doesn’t care about the technical differences, only that a service that they used to be able to access no longer works.

In theory, this is a good idea – nobody wants their financial details “sniffed” on the way between you and your bank. However, the browser authors have decided that all usage of those older protocols is bad and should be prohibited. They make no distinction between a conversation between you and your bank vs. a conversation between you and another site (which could be a web server, UPS – battery backup, a water heater, or even a light bulb!) in your house or company. Instead, they force you to disable all encryption and communicate “in the clear”.

To add to the complexity, each browser does things in a different way. And the way a given browser handles a particular situation can change depending on the version of the browser. That isn’t too bad for Internet Explorer, which doesn’t change that often. Two other browsers that I use (Mozilla Firefox and Google Chrome) seem to release new versions almost weekly. In addition, the behavior of a browser may change depending on what operating system it is running under. Browsers also behave differently depending on when the host at the other end of the connection obtained its security certificate. A certificate issued on December 31st, 2015 at 23:59:59 is treated differently than one issued one second later on January 1st, 2016 at 00:00:00.

In the following discussion, the terms “site” and “device” are generally interchangeable. I sometimes use the term “device” to refer to the system the browser is attempting to connect to. “Site” might be a more accurate term, but for many users a “site” implies a sophisticated system such as an online store, while an intelligent light bulb is more a “device” than a “site”.

In a perfect world, people could just deal with the browser blocking issue by installing new software and / or certificates on all of the devices they administer. Sure, that would be a lot of work (here at home, I have several dozen devices with SSL certificates and in my day job, I have many hundreds of devices) and possibly expense (the companies that sell the certificates don’t always allow users to request updated certificates for free, and updated software to handle the new protocol may not be free – for example, Cisco requires a paid support contract to download updated software). However, it is not that “easy” – any given device may not have new software available, or the new software still doesn’t handle some of the latest protocols.

This leads to an unfortunate game of “whack-a-mole”, where a browser will change its behavior, a company will implement new software to deal with that new behavior, but by the time the software has gone through testing and is released, the browser has changed its behavior again and the updated software is useless. A number of vendors have just given up supporting their older products because of this – they have finite resources and they choose to allocate them to new products.

The browser authors seem to feel that this is just fine and that users should either turn encryption off or throw away the device and buy a new one. Since the “device” is often a management function embedded in an expensive piece of hardware, that simply isn’t practical. A home user may not feel that replacing a working device is necessary and a business likely won’t replace a device until the end of its depreciation cycle (often 3 or 5 years).

This strikes me as a very poor way for browsers to deal with the situation. Instead of a binary good / bad decision which the user cannot override, it seems to me that a more nuanced approach would be beneficial. If browsers allowed continued usage of these “obsolete” protocols in certain limited cases, I think the situation would be better.

First, I agree with the current browser behavior when dealing with “Extended Validation” sites. These are sites that display a (usually) green indication with the verified company name in the browser’s address bar. In order to purchase an EV certificate, the site needs to prove that they are who they say they are. For example, your bank almost certainly uses an EV certificate. Users should expect that sites with EV certificates are using secure methods to protect connections. If a site with an EV certificate is using an obsolete protocol, something is definitely wrong at that site and the connection should not be allowed.

Second, the current behavior is OK when dealing with well-known sites (for example, This is a little more difficult for browsers to deal with, as they would need to keep a list of sites as well as deciding on criteria for including a site on that list. However, there already is a “master list” of sites which is shared between various browsers – it is called the HSTS Preload list. It could be used for this purpose.

Now we get to the heart of the matter – how to deal with non-EV, non-well-known sites. Instead of refusing to allow access to a site which uses an insecure protocol, a browser could:

  • Display a warning box the first time a site is accessed via an insecure protocol and let the user choose whether or not to proceed.
  • Re-display the warning after a reasonable period of time (perhaps 30 days) and ask the user to re-confirm that they want to use the insecure protocol to access the site.
  • On each page, indicate that the page is using an insecure protocol. This could be done by displaying the URL in the address bar on a red background or similar. Google Chrome does something similar with its red strikethrough on top of the https:// in the address bar. Unfortunately, in most cases Chrome will simply refuse to access a site it deems insecure.
  • NOT require dismissing a warning each time the user accesses the site.
  • NOT require a non-standard way of specifying the site URL in the address bar, bookmarks, etc.

Security experts will probably be thinking “But… That’s insecure!” It certainly is, but is it less secure than using no encryption at all (which is what the browsers are currently forcing users to do)? I don’t think so. In many cases, both the user and the site they are connecting to are on the same network, perhaps isolated from the larger Internet. For example, most devices here are only accessible from the local network – they are firewalled from the outside world.

Technical note: I am only talking about insecure protocols in this post. There is a different issue of bugs (problems) in some particular implementation of SSL – for example, OpenSSL. However, those problems can usually be fixed on the server side by updating to a newer SSL implementation version and generally do not remove protocols as part of fixing the bug. My post is focused on servers that are too old and / or cannot be updated for some reason, which is a completely different issue from server implementation bugs.

What do you think? I’d like to see comments from end users and security experts – feel free to try to shoot holes in my argument. I’d love to see comments from browser authors, too.

Brother Printer Upgrade Follies

“Well, I’ve been to one world fair, a picnic, and a rodeo, and that’s the stupidest thing I ever heard…”
— Major Kong, Dr. Strangelove

That pretty much sums up my feelings about the firmware update “procedure” Brother provides for their printers. Some time ago I purchased a Brother HL-6180DW to replace an aging LaserJet 2200DN which had decided to either feed multiple sheets or no sheets from the paper tray.

I have no issues with the HL-6180DW as a printer – it has worked fine for over a year, does everything I ask it to, and successfully pretends to be the LaserJet 2200DN that it replaced so I didn’t have to update any drivers. However, I went to reconfigure it the other day to change its hostname and was greated by the dreaded https strikethrough in Google Chrome (the “Your connection is using an obsolete cipher suite” error):

“No problem,” I thought to myself “I’ll just download the latest printer firmware.” I discovered that it is nowhere near that simple.

The first thing I did was download the latest updater from the Brother support site. Running the updater produced an un-helpful “Cannot find a machine to update.” error. Searching on the support site, this is apparently because I did not have the Brother printer driver installed. Of course I don’t – the whole purpose of this printer is to emulate printers from other manufacturers so people don’t have to install drivers when replacing the printer.

I then downloaded the printer driver from the Brother support site and ran it. It self-unpacked into a directory tree which contained no documentation. Fortunately, there was only one .exe. Unfortunately, running it appeared to have no effect other than popping up the Windows “Do you want to let this program make changes to your computer” alert box. Back to the Brother support site, where this support document bizarrely states:

“Case A: For users who connect the Brother machine to their computer using a WSD or TCP/IP port

Connect your computer to the Internet.
Connect the Brother machine to your computer with a USB cable.
The driver will be installed automatically.”

So, in order to install a network printer driver I don’t want, I have to find a USB cable and connect the printer to a PC via a USB port? That is downright bizarre… Armed with a USB cable, I do that and lo and behold, a new printer shows up which claims to be the Brother, attached via USB.

Back to the firmware update utility. Hooray! My printer is detected, and after agreeing that Brother can collect lots of information I don’t really want to give them, I finally get to click on a button to start the firmware update. After a long pause, it tells me that it cannot access the printer (which it detected just fine a few screens back). It tells me that I should check my Internet connection, disable the firewall, sacrifice a chicken, and try again. I proceed to:

  • Disable Windows firewall on my PC
  • Disable the Cisco firewall protecting my network
  • Disable IP security on the printer
  • disable IPv6 on the printer
  • Disable jumbo frames on the printer

None of which has any effect whatsoever.

After more flailing around, I decide on a desperate measure – I will change the printer port from USB to TCP/IP in the printer properties. A miracle – running the update utility produces a request for the printer’s management password, after sending my personal data Yet Again to Brother (or is that Big Brother?). After an extended period of watching the progress bar move at a varying rate (and jump from 80-odd percent complete to 100% complete), the update has finished!

After making sure I can still print from the other computers who still think they’re talking to a LaserJet 2200DN, I go back into the PC I used for the updating and re-enable Windows Firewall. Then I re-enable the Cisco firewall protecting my Internet connection. Lastly, I restore all the settings that I changed on the printer.

“All is as it was before…”
— Guardian of Forever, Star Trek

Back to Chrome to make sure this fixes the https strikethrough… no such luck. Hours wasted for no gain.

I have NO IDEA why Brother thinks this is a good idea. Maybe they’re paranoid about people getting access to the firmware images (although anyone with access to the network and a copy of Wireshark could capture it “on the fly”). The update utility messages could be vastly improved, instead of the “Doh!” (Homer Simpson) that it does now. The support documentation could also be improved to actually explain what the utility needs in order to update the firmware.

Of course, my decade-old HP LaserJet 9000DTN came with an add-in network card which has a simple “Download firmware update from HP” button on its web management page (which, amazingly, still works despite HP having rearranged their web site multiple times since that card was new).

In a corporate network where I would have to get IT support involved in disabling my PC’s firewall, or (good luck!) disabling the corporate firewall in order to satisfy the Brother update utility, I think people would simply give up and not update the printer firmware.

And don’t think you can cheat and tell Brother you’re running Linux – the downloads for Linux don’t include a method to update the firmware.

De-bloating the Dell Server Update Utility – Yet again

Dell has released the 2015.09 SUU, and it continues to expand:

10/08/2015 08:13 PM 15,559,686,144 SUU-32_15.09.200.74.ISO

If I was growing at the same rate, I’d no longer fit through my front door. The SUU has grown by over 2.5GB since the previous release, only 2 months ago.

Even after de-bloating we’re left with a resulting size of 7,082,702,599 bytes, which is well into double-layer DVD territory. If the SUU continues its current rate of expansion, the next update may not even fit on a double-layer DVD.

De-bloating the Dell Server Update Utility – Continued

Dell has released the 2014.12 SUU, and it continues the tradition of expanding:

12/18/2014 07:13 AM 10,589,175,808 SUU_14.12.200.69.ISO

It is no longer sufficient to simply delete all the .exe files in the \repository directory if you still want it to fit on a single-layer DVD. You should delete all of the files in \bin\Windows and \java\Windows as well. This will leave you with 4,467,253,896 bytes, which is small enough to fit on a single layer DVD.

At some point in the future, unless Dell deals with the SUU bloat by splitting the Windows and Linux discs, you will need to use a double layer DVD, even with the Windows executables removed.