Monthly Archives: January 2007 - Page 2

Cisco 7940/7960 SIP Firmware

October 2008 UPDATE: It seems that Cisco has re-arranged things on their website again and I can no longer find a free SIP image. If I find them on the Cisco site again I’ll post updated information, until then Google is your friend and Cisco SIP images are easier to find floating around the Internet than they were when this was originally written.

When I first started using Cisco 7960 phones with the open source Asterisk PBX I had to jump through a lot of hoops like getting SMARTNet contracts and CCO access to download SIP firmware (to replace the SCCP protocol based one) I could use on the phone. Since that time things have gotten much easier (much being a relative term). If you have a phone with very old SCCP or SIP firmware you may still need CCO access to download older SIP firmware and upgrade the firmware loader but if your phone has newer SCCP, MGCP or SIP firmware you can now download the SIP v8.2 firmware (without Cisco CallManager support) for free from the Cisco website. The two other catches are that the firmware isn’t quite the newest (at writing the newest is v8.6) and that the links are quite difficult to find on the Cisco site.

Lucky for you I’ve located this page on the Cisco website which allows you to download v8.2 and the relase notes that go along with it for free. Of course, like most Cisco products, the 7960s are not designed for consumer use but to be managed in large numbers by trained IT staff. I think this is one reason that Cisco has been slow to make firmware available for free. If you look on various message boards and websites you’ll see a lot of people who are unsuccessful in getting these phones to work. I hate to say it but most of the time this is because they have no idea what they’re doing. The phones themselves are not faulty and there are specific reasons why things like TFTP configurations are recommended (easy central management in a large company) and there is poor configuration through the phone itself and no web configuration interface (saves image space). On the other hand, if you take the time to learn “the Cisco way” you’ll find you have an excellnt phone that sounds and operates remarkably better than the consumer based options.

TV for IT

I was recently introduced by friends to the British sitcom “The IT Crowd“. This is quite a funny show appealing to both technically inclined and normal people. In fact, it’s been a long time since I’ve found a sitcom that is as fun as this. So far only one short season (6 episodes) have aired in the UK and later in Australia but more have been filmed and will be shown this spring.

In doing a little research I found out that NBC is actually planning to bring this to the US. Hopefully, they do a good job and retain some of the trademark British quirkyness. I’d like it if someone would show the British episodes in the US as well. The first season is out on DVD (including some nifty extras such as l33t sp33k subtitles) but there are two problems. The first is obviously region encoding, but that’s easy enough to get around; the second which is a bit more challenging (especially when you want to reatin the extra features) is the encoding for the PAL standard. Hopefully someone can make these available in the US as well!

Chaining LVM with software RAID for a scalable server

I recently procured and configured a new storage server and knew I wanted a scalable, redundant way of storing the large amount of data this server will hold. Despite what Steve Gibson has said about the so-called hardware RAID on modern motherboards it’s dangerous! It’s not really a hardware solution and requires that the same propriatary chipset be used to recover the data which is a dangerous thing to rely on when it’s your data you need back.

Sidebar: One of these days I’m going to get around to creating a blog or netcast devoted to correcting the misinformation on TWiT and SecurityNow (I understand that it’s difficult for them to stay on top of all this, but speculating on what you don’t understand in front of hundreds of thousands of people who worship the ground you walk on is a poor choice and seems to happen more often that I think is acceptable). They need a technical editor and fact-checker and since they apprently aren’t doing it in house someone else should.

Anyway, with modern processing power there’s little reason to use hardware RAID in a much other than a large corporate environment (or if you like spending a good sized chunk of money). I’ve had good luck with the Linux mdadm software RAID and have actually been impressed with how well it works. What I have not done is to utilize LVM (logical volume manager) to make it a more scalable solution where drive size can be increased or drives added down the road.

In preparation for this configuration I read a great howto on the topic which you can find on the JerryWeb Wiki. Things went quite smoothly and I’ve been very happy with the configuration so far which includes four SATA II drives (with working hot-swap capability in a drive cage) in a RAID 5 array. As soon as I get another AHCI SATA controller in I’m going to be adding another drive to the array so we’ll see how easy the LVM makes that!

Offline Windows Patching

Not that long ago I ran across some nifty scripts from the British Heise-Security site. These scripts allow you to automatically download Windows updates for offline installation on other systems (a great idea, espcially before you connect a brand new installation to the Internet). The scripts even go so far as to create an ISO for a CD or DVD which will allow you to easily install the updates on other machines. The list of updates is actually gathered for a file published online by Microsoft for use with their Baseline Security Analysis tool so it stays up to date automatically without the need to constantly update the scritps as with some other similar programs.

Unfortunatly the scripts are command line based and do not allow for easy slipsreaming into a new Windows XP installation CD which is the golden egg for me. Ideally soemthing like this would be integrated into a tool such as the excellent nLite OS slipstream tool which I have mentioned before. All the better if such a solution were open source. If you’re aware of anything like this please comment here and share the wealth of knowledge!

Adding Greylisting and SPF support to Postfix

For quite some time now I’ve been running my own Linux (Debian w/ Postfix) mailservers. For the past several years I’ve had good luck basing my installations on the fantastic instructions available at but this summer even these systems were failing to filter a lot of my spam. Naturally, I went looking for other anti-spam technologies I could add.

For a few years now I’ve published SPF records for my domains and I’m a strong believer that wider implementation of SPF would greatly reduce the amount of spam using forged addresses. Anyway even though I had been publishing SPF records I had not gotten around to implementing SPF checks on my own server so this was one thing I was looking for.

Another was that I had heard a little bit about something called greylisting. Greylisting is a process by which mail from unknown senders is initially bounced with a “service temporairly unavailable” message but when the remote server tries a second time after waiting some period the message is allowed through. This works on the premise that real mail servers which comply with the mail RFCs will keep retrying to send a message until it goes through or a hold timer expires (usually several days) but spamming programs (often trojans on unsuspecting users’ systems) will only try once. Obviously this won’t stop all spam, especially that from legitimate companies using legitimate spam servers and it could easily be bypassed by the trojan writers by trying to send a message several times. I beleive the latter has not happened because of the additional processing overhead this would create and so far it’s simply not efficient for spammers to track all this.

Eventually I settled on implementing both SPF checking and greylisting based on this guide. The guide actually contains a full howto on setting up a Debian/Postfix mailserver similar to the guide I mentioned before. I have only briefly glanced at this other information as I already had a working mailserver but I can say that the method they propose is quite similar, but not entirely the same as the method.

Since implementing these changes my own mailserver has been rejecting much more spam (without any increas in false positives) than before. When I temporairly turned this off to migrate to a new mailserver I immediately saw a marked increase in spam getting through. While I have not tested it extensively it is my belief that more is being stopped by the greylisting than the SPF, mostly because many domains do not yet publish SPF records (though several large ISPs which are commonly spoofed now do).

Submarine Cable Resources

Being a network geek I’m naturally interested in submarine (sometimes called underwater or undersea) cables used to make internet and voice connections across oceans. I recently had the opportunity to spend a brief amount of time researching these and found a few useful sites.

The Eyeball-series website has two pages, one describing cables under the Atlantic Ocean and another for cables under the Pacific Ocean. They list origination and termination points of cables along with maps indicating roughly where they cross.

The International Submarine Cable Protection Committee has several interesting pages including a narrative history of submarine cables, timeline of submarine cables and a database of cables which did and do exist among others.

The Smithsonian Institute has an online exhibition about submarine cables and has arranged for the 1959 book The Atlantic Cable by Bern Dibner to be readable online.

Finally, Alcatel/Lucent has some animations showing the laying of a submarine cable and the repair of a submarine cable.