An Avanade Blogging Community

I recently bought one of the first-flight Dell Mini 9 laptops.  This is my authoritative guide to the Dell Inspiron Mini 9 running Windows Vista Business edition.  The hardware.  The OS install.  The first few weeks of running it.

This thing is long but those considering a Dell Mini 9 and want to run Vista on it or want the deep technical stuff would be well advised to muddle through.

The Legal Stuff

As always in the legal environment we live in, lets get the legal stuff out of the way:

• This guide is authoritative only in the respect that these are my full thoughts on the matter and I have tried to be thorough.
• This guide indicates some things that I did to my Dell Mini 9 that are provided and documented here for informational purposes.  Taking any of these actions may have an effect on your warranty.   No warranty is expressed or implied, of ANY kind, for taking any of the actions documented herein, or using any of the software indicated herein.
• You proceed at your own risk and are urgently cautioned to seek the assistance and advice of a qualified technical professional.

What did I buy?

I paid $607.96 including tax and shipping, of which $449 was for the laptop ($493 including shipping and tax for the laptop).  $114 (including tax and shipping) was for the external hard drive and the made-for-the-purpose messenger bag/slip case by Timbuk2.

The laptop comes in two flavors, XP and Ubuntu with choices of 3 different sizes of solid state drives (SSDs), the largest of which is 16GB.  You may purchase either 512 MB RAM (standard) or 1GB DDR2 memory.  So my configuration:

• Windows XP
• Intel Atom 1600MHz CPU
• 1GB DDR SDRAM
• 16GB Solid State HDD
• Added optional 160GB WD Passport USB external HDD
• Added optional Timbuk2 Messenger Bag / Slip Case

There were some upgrades which I did NOT get which other folks may be interested in:

• 1.3 MegaPixel integrated camera ($25)
• Bluetooth 2.1 ($20)

What did I actually get?

When I received the Dell Mini 9, I was pleasantly astonished.  This thing has a cool factor that is way up there.  I wanted something I could travel with that would add little weight and little size so that I could stuff the thing in my laptop bag (which already carries my Toshiba M9 from Avanade).  That's exactly what I received.

I know it is hard to get a sense of scale from these pictures.  That is wood grain in the background from my kitchen table.  I can fit this entire thing on one hand if I spread-eagle my fingers, each finger tip will ride the edge of the underside of this laptop.  If I take a standard ballpoint pen and lay it on top of the laptop, the laptop's depth is almost the exact same size.  A standard baseball hat will cover the entire thing.  There are a few things I want to point out here. 

Note the lack of fan vents (the only real vents are on the underside to help passive cooling of the laptop).  This thing has no moving parts and hence it will probably be more durable over the long haul because of it.  Its also nearly dead silent in operation.  No exhaust fan.  No spinning platters.  No hum of a CDROM drive.  Nothing.

The top of the Dell Mini 9 is a highly glossy plastic.  It picks up and holds fingerprints really easily.  Beware.  If you are one of those that obsess about the glossy parts of your laptop staying impeccable, this surface will drive you crazy as you always wipe it after you handle the laptop.

This keyboard is really freaking annoying.  Most of the primary keys are only slightly smaller to fit the smaller laptop size but the F-type function keys are omitted altogether!  And then some of the special symbol keys are omitted as well.  Any symbol or functional key which is not a letter or number has been cut down considerably, including punctuation keys.  Anything which has been omitted is only available via a function key combination.  Fn+A for example is F1.  The windows backslash that Microsoft-centric folks use all of the time for file paths or share UNC paths?  Fn+ the addition symbol!  Drives me crazy.

These pictures also do not really capture just how substantial this laptop "feels".  One of the worries I had going into this was that I would get something with a thin screen and it would be flimsy.  I hate having "flex" in my screen when I go to put the screen up or move it around.  When I have flex, I feel like I am always on the verge of breaking the laptop.  Like if I wish the screen up hard enough, it will crack.  Not so with this small notebook.  One thing on the flip-side of that, however, this netbook is somewhat thick for its proportions.  Its not really bad but in order to accommodate ports, it has some height to it and this smaller laptop weighs about as much as a full size MacBook Air despite its smaller proportions.

The port count on this laptop is actually surprisingly full featured.

• 3 USB Ports (As many as my Toshiba M9!)
• Security lock hole
• AC Power Input
• Combination media card holder (Includes support for all currently existing classes of SDHC cards)
• 10/100 Ethernet LAN Jack
• External video analog VGA port without thumbscrew holes
• Headphone Jack
• Microphone Jack

I wish the LAN port was gigabit but frankly given the specifications of the overall laptop, I am not sure that this laptop could really make good use of a gigabit network connection anyway, considering the observed performance of the solid state disk and the underlying CPU specifications.

By the way, this screen is both small and a really odd resolution.  1024x600.  Its not 16:9 or 16:10, the two standard widescreen ratios but in order to deliver the 8.9" screen diagonal size, this thing has a really odd resolution.  It is usable but games don't like it.  Also, note that this laptop does support using the laptop screen AND an external monitor once you have updated the video driver to include Intel's GMA software.

For geeks who care, note that this processor is Hyper-Threading enabled but not Dual Core.  Also, the underlying motherboard for this form factor is the Mobile Intel 945GSE Express Chipset.

Also, some miscellaneous data related to the CPU that took a little research on my part that might save you some time:

• At the time of this writing, all of the CPUs shipped in the Dell Mini 9 models are the Intel Atom N270
  • 533 MHz Front Side Bus
  • 1.60GHz Maximum Clock Frequency
  • Installed on a 437-ball FCBGA (Ball Grid Array) socket.
  • 45 nm Process
  • 512KB L2 Cache
• At the time of this writing, the only available motherboard platform for this processor in the netbook form factor is the Mobile Intel 945GSE Express Chipset.
  • Intel 82945GSE Graphics Memory Controller Hub
    • 533 MHz Front Side Bus
    • Maximum 2GB of 400Mhz or 533Mhz DDDR2 Memory
    • Intel integrated Graphics Media Accelerator (GMA) 950 video chipset
  • Intel I/O Controller Hub 7-M (ICH7-M)
    • Provides for more PCI-E, SATA, and USB ports than the Dell Mini 9 uses
    • "Intel High Definition Audio" Interface
    • Supports both Wireless and WWAN Card

The underside of the laptop includes the panel for the user (and support) serviceable components.  To gain access to those components, you need to remove two small screws from the upper corners of the panel.  You can then remove the panel carefully by prying the top portion away from the snaps underneath and then pulling the panel up and away.  The bottom side of the panel has 3 plastic tabs which slide under the body of the laptop case so do not try to lift from that side.  Inside this area, we find 4 primary components:

• A Single Memory SoDIMM slot (holding a 512MB or 1GB stick by default, in my photo here I have already replaced it).
• A MiniPCI slot which holds the SSD hard drive.
• The wireless chipset. with associated antennae wiring.
• Oddly, this netbook also includes the physical mount for a WWAN card but no actual WWAN (3G network card) socket is installed.  This is the US version and with some research, I have seen that there appear to be some Europe based versions where an appropriate card has been installed to allow this laptop to directly access some cellular vendors.

In my time in the Dell forums, it would seem that some folks are particularly interested in the SSD hard disk, which is in a unique form factor in these laptops with the MiniPCI card interface, and also the WWAN area which in my version comes without the appropriate hardware to accommodate a SIM card and thereby access a cell network.

The solid state disk included in my Mini 9 is the 16GB MiniPCI model from STEC which also has a 32GB model available.  If you look at the full photos of the under side you can see that as it is, this SSD is already taking up most of the room allocated for the SSD drive.  There have been a lot of suggestions in Ideastorm and elsewhere that Dell start shipping Mini 9 laptops with the 32GB model but I would theorize that they do not do so for space reasons.  Looking at the STEC website, it looks like the 32GB model is somewhat longer than the 16GB included here and therefore would not fit in Dell's case.

The empty WWAN bay, on the other hand is intriguing.  Would it not make sense to include some kind of 3G hardware in that spot to facilitate forward-looking cell connectivity?  I realize that from a support standpoint it makes sense rather to include WWAN cards with pre-configured SIM chips only when the laptop is being sold as a bundled product by a carrier.  Dell doesn't then have to deal with the issues from folks needing support to connect to their carrier.  At least include SOMETHING in that port.  The hardware is there, install the part and let me have the option of putting a SIM card in there and dealing with my carrier myself. 

It feels like a heavy handed approach to artificially limiting the forward sustainability of my device, FORCING me to get a Dell mini 9 from a carrier at an inflated price with a long term contract if 3G connectivity is a feature I want.

Upgrading my Mini 9 to Prepare for Vista

Right now, as of the time that I ordered my Mini 9 right out of the gate, there were two OS options: XP and Ubuntu Linux.  I dont want XP.  Its already outdated.  Everything I own runs Vista or Windows Server 2008.  Why would I get a brand new portable machine and install an operating system that's already like 5+ years old on it that doesn't even have mainstream support from the manufacturer anymore?

The problem with upgrading to vista?  Its a resource hog.  Its a little better with Service Pack 1.  But still a resource hog.

The first step here was to upgrade my memory.  I hopped on NewEgg and ordered a 2GB DDR2 SoDIMM and then replaced the 1GB that was sent with my laptop.  Remember from my earlier note that this laptop supports a maximum of only 2GB of RAM in the single slot!

The second step was to obtain some additional Hard Drive space.  16GB is going to be ok to start out with for the Operating System but that means that to ensure longevity of my system, I need to start putting applications installed elsewhere.  So I needed an external HDD.  I purchased the WD Passport external hard drive with my laptop from dell.  At $80 base price for the 160GB version, its a pretty good deal, beating my local target by about $19 and about on par with NewEgg.

The third step was to prepare for ReadyBoost.  Since this laptop supports SDHC cards via the memory card reader, I went to NewEgg and ordered a Transcend 16GB SDHC card (Class 6.  For an explanation of what SDHC classes mean, hit Google.  Class 6 is the fastest class of card available right now.)

I then re-formatted my WD passport drive (note that this gets rid of all of the encryption and synchronization software that comes with the drive) as NTFS file system.  I also re-formatted the SDHC card from FAT32 (default) to NTFS so that I could use it with ReadyBoost.

I also went out and purchased a USB external slim DVD-ROM from NewEgg so that I had something to install vista from.  I strongly recommend this.  STRONGLY.

At this point, from a hardware standpoint, my machine was as ready for Vista as it was going to get.

Trimming down Vista to Prepare for my Mini 9

With the hardware of my Mini 9 ready, the simple fact of the matter is that Vista is still just too much of a resource hog to go with a default install of every part and piece and the kitchen sink.  Enter vLite.  vLite is an application that allows you to take an image of the installation files for vista and then customize exactly which components you want to install, integrate additional drivers onto the operating system disk, and set many of the base configuration options so that you can have the installation do common tasks like entering the Product Key, configuring some of the Folder Options, setting your locale and timezone, etc.  vLite then packages your answer file (the file that holds those extra setup settings), your additional drivers, and the setup files for the components you want to install on a brand new ISO which you can then burn to disk.

Now here is where things get  a little more messy if you do not know what you are doing.  I am certified on Vista.  MCITP: Enterprise Administrator and MCITP: Enterprise Support Technician.  I have been playing with Vista since early beta editions and feel very comfortable with concepts like slipstreaming patches and drivers onto the disk.  I know how to do this manually and how to fix things if they go wrong.  I understand how to trace dependencies between the various components up to the feature level.  If any of this sounds confusing or you have any question about doing any of this, don't.  Don't risk screwing up your nice new Dell Mini 9 because there is no support for a trimmed Vista install from Microsoft and there will be similarly no support from Dell because they don't ship a Dell Mini 9 with Vista.

Use something like Symantec Ghost to backup your Dell Mini 9!

Also, I am intentionally not going into great step-by-step detail here.  Those who know how to do such things will figure it out.  Those who have no business doing such things will probably not.

I chose to install Vista Business because frankly I intended only to use this for light web browsing, e-books, studying, etc on the road. 

So the first step is to grab a full install of Vista.  I copied the contents of my vista installation files to a temporary place on my desktop's C drive.  I strongly recommend doing this with an installation image which already has Service Pack 1 slipstreamed on it. Don't worry about going to vLite yet, gather everything you need for vLite before you go into the program, the software doesn't make a lot of sense otherwise.  Keep your product key handy, you will want to put that in vLite so you don't need to enter it during install.

Then go to the Dell website.  Choose support.  Choose support by model.  Choose Laptops.  Choose Inspiron.  Choose 910.  Select to see the full list of drivers for 'Windows XP' as the Operating System.  Download all of these drivers (except Bluetooth) to a local storage location on your machine.  Run each of the self-extracting ZIP files and then cancel out when the installation itself is run.  By default, this will then create a whole list of driver folders under c:\dell\drivers. There are a few drivers for which the Windows XP drivers just wont work in Vista, a key one that I recall from my own installation is the LAN driver.  Search for the same hardware name and driver versions on Google.  Dell has other laptop models that ship with a Vista driver.  Download those drivers and unzip them to your dell drivers folder as well.  Remove the Windows XP versions of the same drivers. 

If you want to download all of the patches since SP1 and put them somewhere, you are more than welcome to.  I didn't bother.  Once I have my installation finished, I figure that I can download and install those on my Mini 9.

So at this point we are actually ready to run vLite.

Start the vLite application.

Browse to where you have copied your Windows Vista installation files onto disk.  This is just the Vista install image, not the drivers and all of the other stuff.  Those should be in other directories.  DON'T choose 'Apply'.  The first time I used vLite I learned the hard way that 'Apply' equates to 'build this image for me'.

Choose 'Next'.

The Tasks pane allows you to choose what you do and don't want to do.  I would advise you to leave everything selected but here is an overview of the options:

• Integration (Do you want to slipstream drivers onto the install disk?)  STRONGLY Recommend checked.
• Components (Do you want to customize what parts of Vista are installed?)  Recommend checked unless you really want everything.
• Tweaks (Do you want to enable some custom power user stuff that we geeks commonly do?  Things like setting your Folder Options automatically?)  Suggest checked but can safely skip this.  Will not affect functionality on your Mini 9.
• Unattended setup (Do you want to setup your options in an installation answer file so you do not have to be at your PC during the install?)  Suggest checked if you do not want to be physically present during installation.  You can safely skip this, particularly if you WANT to have direct choice-by-choice control during installation.  Will not affect functionality on your Mini 9.
• Bootable ISO (Do you want to make the image that we create bootable?)  STRONGLY Recommended checked.

Choose 'Next'.

On the integration pane, the only real settings that you need to use are the drivers.  Click the drivers tab.  Click the 'Insert' button.  Choose 'multiple driver folder'.  Choose your dell drivers folder on disk.  vLite will crawl the subfolders to find all of the drivers to load on the vista installation CD.

If you want to load hotfixes, you can do that by choosing the hotfixes tab.  Otherwise choose 'Next'.

You will be presented a 'Compatibility' Dialog.  Uncheck Aero Glass (which the paltry graphics chipset struggles with on the mini 9).  You can also uncheck Internet Explorer if you like.  I did.  I then installed Google Chrome after I was done with Vista installation.  Ignore the 'Applications' tab. Click 'Ok'.

Go through the tree of components.  ONLY CHECK COMPONENTS YOU WANT TO REMOVE.  I will not go into detail here as this is one of those areas where people who don't know what they are doing will break things and I don't want to be responsible for that.  I will simply say that rolling over the item on the right side, actually read what the component does before you choose it.  In the drivers folder, you can safely remove most of what is there except for anything made by 'Intel' or 'Realtek'.  Many of the accessories can be cleared.  Many of the printers can be cleared.  Many of the storage controllers can be cleared.  Remember that you need to know what you are going to use this laptop for.  If you want a media laptop, don't remove media components or games.  If you want a business desktop or a web kiosk (as mine is), then you may be able to cut away more of these components and save yourself some space.

When you have customized your installation base, choose 'Next'.

If you have selected to do this step, you should now be looking at the tweaks.  I strongly advise leaving any of the security options alone.  Some folks like to disable UAC.  I say that anyone who does so is an idiot.  Yes, vista will prompt you any time you want to do something with admin permissions.  For the overwhelming majority of the windows ecosystem right now, that is very few applications.  Running vista without UAC is like running around a minefield with scissors.  If the minefield of malicious programs don’t get you, you might manage to poke your eye out with a careless change not realizing your are in an admin application.  I am personally willing to deal with a "Continue or Cancel" dialog to confirm my intent to use an application as administrator as a trade off for a higher awareness of when I am in a mode where I can actually screw things up.

For DEP, choose "Enabled for the OS and processes (Optout)".

At any rate, set your choice of options and choose 'Next'.

If you chose to enable the Unattended installation section, this should now be presented.  Provide information about your machine, a default administrator password, computer name, product key, et al, and choose 'Next' when ready.

Now you should choose 'Apply'.

Then burn an ISO.

If you did not screw this up, you should end up with an ISO of your customized vista installation which you can save off to disk and then burn to a DVD.  Make sure you label your DVD.

Uh, you DID order an external USB DVD ROM, right, to do the install with?

Install Vista.

Trimming Vista Post-Install

So if you didn't manage to screw things up too badly, you end up with Vista running on your laptop.  Make sure your drivers installed properly, the LAN is available, etc.  If you find that some components don't show up, you need to obtain the vista version of those drivers.  The Bluetooth stack for example you can grab the drivers for the same hardware from another Dell laptop.  To do that you search for the name of the Bluetooth chipset and the full version string of the drivers and add the word Vista to the search string.  So like "Realtek 5.694.0507.2008 Vista" to find the vista version of the Realtek LAN drivers for your mini 9.

Install Windows Updates from the Internet.  This will require like 10 reboots (ok, that's an exaggeration but you get the point).

Enable ReadyBoost on your SDHC (if you have one).  Use as much of the SD card as it will let you, up to 4096MB.  If your SD card is slower than Class 4 its not worth it so don't bother with ReadyBoost if you aren't willing to spend $30-$40 for a decent 8GB or 16GB SDHC card.  Make sure its class 4 or class 6.

(Optional) Install Google Chrome.  www.google.com/chrome

Delete all of the .PNF files from c:\Windows\INF\*.PNF

Delete everything in c:\Windows\SoftwareDistribution\Download (This will disable uninstalling any hotfixes or service packs but i have never had to do uninstall any hotfix before on a client machine so this shouldn't be a big deal.)

If you installed hibernation at all, disable it.  Start > Control Panel > Power Options.  Hibernate tab.  Uncheck the box.  Remove hibernate from any power options in your power profile.

Set your page file to 1024 MB to 1024 MB if you are using ReadyBoost of at least 2GB.  Start > Control Panel > System > Advanced > Performance Settings button > Advanced > Change button > Enter sizes and press set button.

Restart your machine.

Running Vista and Summary

By the end you should be running Vista on your new Dell Mini 9. 

This Laptop is good for:

• A low-power portable machine for your kid.
• An inexpensive road warrior laptop for surfing the 'net and email on a personal box (this is what I got it for).
• A traveling laptop for someone who does everything with online documents.
• Someone obsessed with social networking and wants to be able to do it anywhere.

Don't use this Laptop for:

• A Desktop replacement.  There are laptops for that.  This one is not it. The Dell mini 9 seems to work off of the principle of "just enough" power.
  • When I have this thing in my laptop elevation rack with keyboard, mouse, DVD ROM, external HDD, and second monitor, it really looks like Frankenstein's laptop.  Cables stick out everywhere from the small sides of this thing.  If you want a desktop replacement, get a larger form factor laptop.
• A gaming laptop.  Video chipset is too weak.  The processor cannot keep up with modern games.  The screen is an odd size.
• Anything with significant storage needs.  16GB is just not going to cut it.

In a conversation earlier today with a colleague, and one of my mentors, I came to think a little bit about the depth of harm that has really been done to the CNet / Gamespot reputation by Jeff Gerstmann’s firing. The evidence? Its nearly a year later (the original firing was in November 2007), and I am still thinking about it enough to be writing about it.

For those unfamiliar with the controversy and the original events, I invite you to read through the Kotaku coverage on the subject. It’s as good as any. In particular, I would like to direct you to two of my favorite pieces of media that illustrate the situation in a non-traditional way: Penny-Arcade’s comic on the subject, and the “JFG” movie which was a modification of Oliver Stone’s JFK, brilliantly redone for the subject.

The Internet goes Nuts

… And I don’t mean nuts in a “lets all go frantically active” context as sometimes the phrase is used, but more in the “dial 911 and get an officer over here to arrest this crazy sucker” tone of nuts. Jeff published a review and accompanying video review on a game called Kane and Lynch. The game was just mediocre. Jeff rated the game honestly and the treatment in the video review was in Jeff’s characteristically irreverent sarcastic tone reserved for games which have truly messed up in some way.

Jeff was fired soon thereafter.

The review (video and text) were immediately removed from the site.

The reviews were edited (some might say censored and re-cast in a positive light) and re-posted in their modified format without any indication that a modification had occurred.

Enter the crazy mob of homicidal insanity.

Within hours, the Eidos and Gamespot forums were either closed or were actively removing any posts from anyone on the subject. Gamespot users had added user tags to related articles both to the firing and to the review such that the overwhelming majority of the first 50 tags were user-selected and highly negative. A storm of requests to delete accounts were immediately evidenced on the Gamespot premium users’ forums to the editor. A series of death threats were made to Gamespot’s other editors and any webmaster and advertising email addresses exposed on the website.

Virtually every other gaming site across the Internet was enveloped with the news and the response for days with equally vitriolic commentary to the articles.

The Economics of Gaming Sites

A disclaimer: I am not an accountant, an economist, nor have I ever been a senior manager for any games site. I have however worked for a small game development firm who has advertised with Gamespot in the past and have been involved with both Gamespy and IDGA for a while.

The gaming user audience is a rich demographic in two ways: they have a high level of technical knowledge which allows advertisers to use much more rich media experiences and they also have a deep propensity for spending hard earnings on hardware and software products. Even more than an equivalent sized audience of IT professionals, the gaming enthusiast segment drives money into the top tier of technology products and associated Internet related gadgets at a phenomenal rate to the point of having a dedicated market of hardware for that segment.

Gaming sites depend on Developers and Publishers for information. When a game is in the development stages, or in beta, or in demo, or about to go retail, the only legal source for a game site to obtain information, screenshots, or even a copy of the game is the developer or publisher of the title looking to build buzz and positive coverage on the title. This deep content based on a network of positive relationships then builds the basis for a community to evolve and build around. It is this kind of user interaction that drives the greatest portion of page impressions for a site which in turn makes uses of ads and premium position content on a site for that site’s advertisers.

The problem where the economics runs into trouble then becomes that these same sponsors for the most part ARE the same developers and, more often, publishers which are investing in reaching that gaming audience! IN addition to the traditional banner ads that are omnipresent throughout the Internet, a modern gaming site has the capacity to build further on the content positioning in front of the users beyond the standard ad models. The very positioning of where a review is carried can make a difference in how much traffic the game will receive in the site content, for example. Companies can pay for better placement on the homepage or on the entry page for a sub-section.

Other rich media, too, can be bought. The very user interface of the site, for example can be re-“skinned” for non-subscribing users of the Gamespot website. These users can be presented with “roadblock” type near-full-screen advertisements before they get to a designated piece of content. Before and during a download, users can be presented some content about a particular game, your game, for a fee. Companies can even pay to “surround” a page with their content. Think the PS 3 games launch. Wouldn’t it be great if a company like Microsoft could surround the PS 3 launch page with images of the Xbox 360 and some advertisements for the console? That’s exactly what they did.

The Trains, They Are Colliding

To be clear, everything discussed to this part is normal and acceptable. Gaming sites and magazines all require content from the people who hold that content. They also sell rich advertising to the companies which want to get product in front of gamers. The conflict of interest is obvious but so long as the editing is un-linked from advertising, this relationship can sometimes be uncomfortable but can be maintained. For years, for example, oddities have appeared in magazines where an editor will have trashed a game in a review and on the opposing page, advertising has just happened to make that page the placement for an advertisement touting the same game title.

In Gamespot’s case, this line appears to have been well and truly crossed last year. Eidos has openly admitted to threatening to change the nature of their advertising relationship with Gamespot over the incident. A VP at Gamespot, the VP of advertising in fact, who already had a weak reputation with the editors, stepped in and arranged for Jeff to be let go over a consistent pattern of a perceived negative tone in the editing of the site and the articles he was responsible for.

It was this irreverent tone and solid review scores that constructed the trust of the community in the site in the first place!

In the next 5 days, Gamespot issued 2 separate PR attempts to control the situation, at first issuing no additional details, and the second time an obvious marketing-written carefully-worded commentary which denied everything the community was concerned about but felt like press-release toilet paper.

The Fallout

In the past year, 6 additional Gamespot editors have left specifically indicating this firing as one of the factors in their leaving Gamespot. CNet, the parent company of Gamespot sent in another VP to investigate the possibility of an ethics compromise. The VP of advertising who instigated Jeff Gerstmann’s firing was fired himself in April 2008.

If nothing else, by these actions, the gaming community’s assertion that there was a credibility and ethics gap here in the first place seems to have been validated.

Captaining the Obvious

There were some key lessons learned here. The first is that gaming sites need to be more transparent in the way that certain types of operations are handled. There needs to be a formal and publicly posted ethics policy on how the relationship between content and advertisement is allowed to work and specifically stating that advertisers may not have input into the operational aspects of the personnel of the site or the policies by which articles may be published.

To put it bluntly, don’t expect to screw over a popular writer in the full light of day and somehow act surprised when your audience does not like watching that. The statement that you cannot comment on the details of a personnel decision will do absolutely nothing to ameliorate the situation. To this day, I am unaware of a mea culpa from Gamespot in this matter in any published medium aside from the behind-the-scenes actions in which they certainly appear to have recognized the problem.

Publish the policy where your editors are and are not allowed to comment on something. Have something to point to. If Gamespot had come out early and said that “here are some of the things we take issue with and hence we feel this is justified”, the situation might have been a whole lot different. Sure, maybe its FUD, but don’t stay silent. At the very least have something to point to that says that “this is why I can’t talk about what is going on, here is the detail I can give, and that’s all I can say according to policy, sorry”.

Transparency is key and ethics should be non-negotiable.

The trust of the gaming community was harmed and we are a fickle crowd. Here it is 10 months later and I still cannot trust Gamespot again.

It probably doesn’t help that for the 10 months since the firing, Gamespot has consistently been reviewing games higher than comparable outlets according to metascore – an influence of advertisers and an ad-motivated firing? I’ll leave that for you to decide.

This video blog runs about 5minutes and focuses on the creation of a virtual network in Hyper-V through the Manage Virtual Networks panel.  Among the settings covered include building various types of virtual networks on the Hyper-V hosts and the configurations settings exposed.

This content is roughly level 100.

http://tfc.wanderson.org/Creating_a_Virtual_Network_in_HyperV/Creating_a_Virtual_Network_in_HyperV.htm

Falconic note: Community Server, the software upon which this blog is hosted, currently is configured to remove embedded media from blog posts.  You will need to click the link above to view the video blog.

This video blog runs about 7 minutes and focuses on the wizard in Server Manager to create a basic Virtual Machine on Hyper-V.  This demonstration progresses through the entire creation phase, including setting the name and storage location, selecting a virtual network, attaching a Virtual Hard Disk, and finalizing the Virtual Machine creation.

This content is roughly level 100.

http://tfc.wanderson.org/Creating_a_Basic_VM_in_HyperV/Creating_a_Basic_VM_in_HyperV.htm

Falconic note: Community Server, the software upon which this blog is hosted, currently is configured to remove embedded media from blog posts.  You will need to click the link above to view the video blog.

This video blog runs about 5 and a half minutes and focuses on the basic controls that an administrator can use to connect to and manipulate the operating state of a Hyper-V virtual machine (VM).    This introduction examines the differences between the Turn Off and Shutdown functions as well as the operation of the Save and Pause functionality in Hyper-V.

This content is roughly level 100.

http://tfc.wanderson.org/Base_Controls_of_the_HyperV_VM/Base_Controls_of_the_HyperV_VM.htm

Falconic note: Community Server, the software upon which this blog is hosted, currently is configured to remove embedded media from blog posts.  You will need to click the link above to view the video blog.

This video blog runs about 7 minutes and focuses on the functions provided on the high-level "Hyper-V" role node in the Server Manager of Windows Server 2008.  This includes the quick status information provided by the events display, using the events filter, looking at the services status, and a brief overview of the technical resources at the bottom of the Hyper-V role pane.

This content is roughly level 100.

http://tfc.wanderson.org/Intro_to_HyperV_Role_Display/Intro_to_HyperV_Role_Display.htm

Falconic Note: Community Server, the software upon which this blog is hosted, currently is configured to remove embedded media from blog posts.  You will need to click the link above to view the video blog.

Recently at Black Hat / DEFCON, a presentation was given which indicated that a couple of security researchers had found isolated ways around the Windows Vista stack of security features intended to protect against the buffer overflows and predictable memory address space attacks very common in the Windows XP days.  This news, not surprisingly, was immediately seized upon by the uninformed technology media which soon started screaming that the sky was falling.

This morning, a colleague of mine sent me an article at Ars Technica called "The Sky isn't Falling" that takes a deeper look at the vulnerabilities in question and offers a balanced approach to the issue.

This issue of the news media sensationalizing vulnerabilities is a subject that I have touched on time and time and time again but seems to rear its ugly little head every month or so as some new researcher comes out with The Threat.  Then a number of news services, including particularly Slashdot and CNet seize on the initial announcement from the researchers, before it has usually been validated by others, and proclaim to the world that [insert Microsoft platform here] has been [choose one:  broken|compromised|DoS'd|DDoS'd|Owned|vulnerable], OMG, run for your lives off of your [Microsoft Platform here] installation.  You get the point.

One of the things that I love about this post, and the reason that I am blogging about what someone else has already covered pretty well, is that this is one of the first times that I have seen a technical media site publish the real world take on the latest "super-threat" that some researcher has presented.  One entire section of the article is entitled "Chicken Little runs amok" and even goes on to state that, "Sensationalism Sells, and there's no news like bad news, but sometimes - particularly when covering security issues - it would be nice to see accuracy and level-headedness instead.  Alarmism helps no one."

And the "vulnerabilities" themselves?  Traditionally, a vulnerability is something that people thing of as a bug or some mistake in the software.  In this case, thats not what is happening here.  A vulnerability is any feature, whether by design or unintentional, which poses a risk to the greater system.  The vulnerabilities that are being published is simply a well consolidated statement of the limitations of Data Execution Protection in Windows Vista.  Applications can opt out.  And some do.  So if you are using Firefox or IE7, Java, or flash, they may be opting out of Data Execution Protection (keeping memory from being arbitrarily executing by crashing the application that tries it) and Address Space Layout Randomization (windows vista's work to keep the application guessing where a system DLL is so that predictable memory space attacks are minimized).

The truth is that the paper is correct.  By exploiting the fact that these applications do not comply with the windows vista security measures, you can bypass the security measures on a Windows Vista system and it will be just as exploitable specifically on buffer overflow as a Windows XP system... as long as you are running in the context of one of these mostly web-related applications.

These attacks do NOT circumvent the IE protected mode sandbox or UAC! 

One of the things I really like about the aforementioned article as well, is that this is one of the few discussions which actually goes into detail on just what can be immediately fixed: "Some of the specific features of the attacks can be resolved by Microsoft itself -- preventing IE plug-ins from opting out of the protection schemes... and by making Windows default to enabling all the protection schemes".  At some point however, you have to wonder how much of this is really a vulnerability of Windows Vista? 

The protection schemes are there, if applications are making the informed decision to opt out (firefox and the JRE from sun, for example), isn't that really a vulnerability being introduced by the insecure choices of that application?

As the industry settles into a market where virtualization has major offerings from Microsoft, VMWare, and the Open Source communities, administrators and security engineers are beginning to grapple with the implications of virtualization on infrastructure security.  Fortunately, virtualization is really nothing new.  While the utility (and cost savings!) of infrastructure consolidation are being increasingly recognized every day, infrastructures constructed on virtualization and virtual partitioning platforms extend back into the days of mainframe, as well as adoption of hypervisor-based platforms throughout the late 90s and this decade.  Security professionals are not without lessons learned to apply in building the next generation of Hyper-V driven infrastructures; the start of securing your enterprise is merely a trick of recognizing how to modify them for today's intensive needs.

In order to understand the security model in a Hyper-V virtualized environment, the administrator or security professional needs to examine the most basic mechanics of virtualization and the relationship that the Guest Virtual Machines (VMs, also called Hosted Instances or Logical Partitions -- LPARs -- in some environments), the Host operating system, and the hypervisor kernel share in Microsoft's Hyper-V architecture.

In Windows Server 2008, the Hyper-V  virtualization layer is actually running "below" the level of the Host Operating System and directly handles the low level functions which make a computer operate -- as well as mediating the access requests between the host operating system components and the Guest VMs. 

Those working with Virtual Server 2005 will recall that this is a major reconstruction of the operation of the virtualization layer.  In Virtual Server 2005, the virtualization layer was running "on top" of the operating system, as a series of windows system services.  In Windows Server 2005, this resulted in sometimes harsh performance losses because any input or output request from a guest VM was made from the application on the guest needing the access, had to complete the operating system "stack" on the guest and then was relayed by the VM to the Virtual Server software service(s) through the appropriate emulated hardware.  The virtual service in question would then make the necessary requests of the underlying host operating system.  The host operating system running Virtual Server would then need to complete its entire stack of software functions to actually make the necessary request of the hardware the server was running on, before passing the resultant data all the way back up through all of these layers.

In Hyper-V the virtualized guest's resource request never has to go through the Host operating system!  This is a very important point in Hyper-V which not only results in vastly improved efficiency rates for I/O intensive operations on guest VMs but also is critical to understand in the protection of the consolidated environment.   The Hypervisor microkernel, not the Host Operating System, is the only component between the guest VMs and the hardware.  Along with this efficiency gain (and its attendant increase in the attractiveness of Hyper-V for enterprise consolidation implementations, is the considerations that a security engineer or network administrator needs to be conscious of all four components: the hardware, hypervisor, host VM, and guest VMs.

When a security engineer examines a Hyper-V virtualized environment, there spring to mind two primary divisions of strategy that apply to your consolidated infrastructure:  The first, is that the same security principles that apply anywhere else in your environment need to apply to both host and guests in Hyper-V hosting.  The second, is that virtualization has special strategy demands which require closer attention to detail in some areas in order to consider the effect that a unified server has on multiple potential services run in independent VMs on the same underlying hardware.

The Basics Still Apply

Maintain Physical Security

As with any information technology infrastructure, once an attacker has physical access to the hardware that a server is running on, the attacker can easily compromise nearly any level of the operating capacities of the machine through the use of offline threats.  Key loggers, local networking monitors, forensic analysis of the hard drives, booting into a "Live CD" with a built-for-the-purpose set of tools.  In consolidated environments, it is true that much of the time the data of the guests is not directly stored on Direct Attached Storage, however keep in mind that if use of offline tools by an attacker allows them to obtain administrative credentials on the host and then return the server to service, they can use the host level access to enable further attacks on the guest, including making shadow copies of the storage for the guest VMs which can themselves be subjected to further offline attacks.

To protect physical security of the server, in an enterprise environment, consider investing in remote management hardware such as physical remote management cards which allow server-level access to KVM and drive functions, a consolidated KVM-over-IP solution, and implementing separation of duties.  These days, remote management tools are sophisticated enough to ensure that a remote administrator can start a session with a remote management unit and have comparable access to the base keyboard, mouse, and console display (and sometimes even the CD/DVD drive) that the administrator would have accessing the box in person.  Note the word 'and' in 'and implementing separation of duties'.  Giving your administrators the ability to remotely administer the box is effective only if you also remove their physical access to the data center.  In the enterprise, data centers often have specifically employed individuals who can address the operational needs of cabling, racking hardware, installing new hardware, and possibly hitting the power button for a power cycle in the case of some catastrophic failure.

Separating the duties of those with logical access to the server (and administrative ownership over the function of the operating system and applications running on the server) from those with physical access to the server for operational requests allows you to reduce risk of physical access-based attacks through minimizing the number of people with that access.  The data center administrators have physical access to the server, but not the authorization information to change the operating system, and the network administrator or engineer has necessary authorization to operate the software running on the server without enabling another entire class of users to have direct access to the data center.

Less Software Means Less Attack Surface

Given that the host operating system in a Hyper-V server acts as little more than a platform for administration tools,  the administrator has a new ability to trim down the software packages that run on the server itself.  Each installed role or package which is surplus to the Hyper-V server provides another set of code which could either potentially be used directly by an attacker against the host itself (particularly in the case of superfluous pre-staged administration tools), or could contain vulnerabilities which, in the case of running services, could allow an attack vector in the first place.

An administrator which needs to perform changes on the Hyper-V server has access to the server remotely through the Server Manager for the most common administration tasks.  For those of less commonality, once an administrator logs into the server, he or she could then map a drive to a shared folder of utilities or could have an installer or zip file which can be copied over from a share, used during the course of the task at hand, and then removed.

In an enterprise environment where the Hyper-V server is expected to host instances of production services, the host Windows Server 2008 installation should be made with Server Core!  Server Core provides a somewhat hardened environment for the virtualization services at the expense of removing many of the most common administration tools.  Guides are available across the web, including my own, on how to install Hyper-V on a Windows Server 2008 Server Core machine.   Additionally, Microsoft has made ample documentation available on how to use the command line and PowerShell to provide advanced from-the-console administrative actions.

Updating the System is Key

Implementing an aggressive firewall on the server and restricting direct access to the machine will be of little avail if the firewall code, or any of the services which are exposed (such as the terminal services instance in most installations), is found to have a vulnerability in the software which remains unpatched on your server.  Updating your software on the host as well as each of the guests should be part of the planned architecture of the environment.  In some cases, this has policy implications as well.  How will your change management work to allow you to reboot the host after applying updates, which also takes down the guest instances?  Do you have a universally applicable change window?  Do you need to plan a change ticket?

Virtualization does not affect the tenet that your software should be updated!  Virtualization simply complicates the planning for host downtime but the update process must still be considered and planned for.

Use Domain Based Credentials to Minimize Threat from Turnover

Managing access to the environment requires attention to your authorization and identity strategy. Credentials which are based on the standalone server provide an opportunity for mistakes in de-provisioning, creating a series of active accounts with privileges possibly as high as local administrator on your host Hyper-V servers and your guest VMs.  Just as in any other information technology environment, the virtualized server environment can be easily compromised by these obsolete user accounts. 

Engineers should minimize the number of standalone credentials created on the server itself which provide the potential for running into problems.  Reduce host services which require custom local accounts to be established.  Create a strong password for the local administrator account.  If your local environment uses a common password across the environment for administrative access, change the password periodically.  Minimize the number of local accounts being created, rather join the server to the domain early in the setup process and add a domain based group or account to the necessary permissions.

Apply the Concept of Least Privilege

Accounts which are granted privilege to the environment, regardless of the origin of the account (local or domain-based), should only have the privileges on the local system which are required for their needs.  During installation, the account which will enable the Hyper-V role needs to have administrator privileges, either based on the local administrator account, or a domain administrator.  Once the actual installation is done, and sub-administrators and end-users are working with the guest VMs, administrator privileges are no longer required for most operations IF you have invested the time to setup the local permissions. 

There is a great blog post specifically on the subject on how to delegate permissions to work with VMs without host privileges, by Lukas Beeler:
http://projectdream.org/wordpress/2008/07/03/delegating-hyper-v-virtual-machines/

Some basic tenants apply.  Do not grant permissions on the host data storage to the extent possible except to the directories where the individual is supposed to be able to save ISOs and other files.  Use a file share if possible to grant access to the storage location for ISOs and other locally hosted materials that the VM should have direct access to.  Avoid giving any users the ability to directly log on to the host via RDP if they do not absolutely need that ability (and force users to justify that request by providing the exact delta of what they need to do over and above what is provided by a file share and use of server manager).  Using the above blog, grant end-users permissions only to the VMs to which they should have rights and control.

Virtualization has Special Strategy Demands

Documentation of your Environment is Critical to Success

In a virtualized environment, the relationship of logical servers to physical hardware is no longer 1:1.  Many systems documentation systems expect each server to be associated with a physical hardware platform and hence do not make the provision for a logical server to be associated to a host server.  In order to properly maintain your environment, virtual servers need to have documentation readily available on what guest VMs are hosted on which physical machines, as well as (critically!) the person or contact for the "owner" of the guest VM!  In my experience with virtualized environments, a number of different businesses or administrators will "own" individual virtual machines hosted on the server.  In order to prepare for downtime on a given host, it is necessary that the organization be able to properly notify affected teams of needed downtime or changes to the underlying virtual host.

If the organization does not maintain an enterprise-level documentation system for the infrastructure environment, individual administrators can counter this vulnerability by using locally hosted documentation.  Create a directory on the server called "Documentation" in a standardized location and use locally hosted text files to store information about the individual VM names, basic configuration information, and the contact information of the owning administrator or business unit.

Planning for Downtime affects More than the Host

The relationship of the host to its guest VMs means at its base that as goes the host, so go the guests.  This means downtime has direct effects.  The change management, business continuity, and disaster recovery strategies of the organization may need to be modified to take into account the cascading effect that downtime on the Hyper-V host implies.  As noted previously, the documentation that your organization maintains should provide the basis for a procedure of approvals or notifications when a host should be taken down or is experiencing a downtime event.  Each of the guest VM owners needs to be involved in the downtime discussions as well as the necessary groups which administer the service of the Hyper-V host itself.

In many enterprise environments, this means ensuring that there is some kind of tagging applicable to the Hyper-V hosts themselves to indicate additional teams that are involved in change requests as well as operational functions related to downtime itself.  Formalizing this approach in a policy could mean that in the case of an unexpected downtime event, a representative from each operational group affected by the host downtime would be present on a call or system to test and validate the application's return to service as well as to represent the importance of the downtime itself and the criticality of resolving that component in a case where more extended prioritization is required.

In smaller environments, this could take the form of simply expanding the existing process to include additional business owners.  Adding a rep from each "owning" team to an email thread and asking for a one-line approval statement from each could be one of the simplest ways to implement the same form of interaction

The Hypervisor has Access to Near Everything

The micro-kernel which provides the hypervisor services between the host and guests and the underlying hardware performs the function of interpreting all of the resource requests for the system.  As a result, this system is the linchpin which has direct, low-level access, to every bit and byte of data that will be returned to either the host operating system or the guest VMs.  Once an organization introduces Hyper-V into the software stack in your environment, from that point forward, the primary administrators or architects in the environment need to be regularly updating themselves on the status of updates to the Hyper-V platform and understanding how attendant vulnerabilities work.

Once a vulnerability is released that has the capacity to target the Hypervisor, the internal administrator will want to be able to escalate any attendant repair following patch release to ensure that the patch can be applied to the environment as soon as possible. 

The administrator also needs to be in a position to protect the hypervisor to the extent possible.  Workarounds should be immediately implemented in an environment if a high-severity issue is discovered in the industry that may affect the hypervisor layer so it is necessary to examine a mitigation approach based on operational awareness rather than with any immediate proactive protective action.  Establish a process whereby one or more engineers are responsible for staying absolutely up to date on the security of the Hyper-V platform, patches, as well as security discussions in major communities.  Ensure that there is a defined and documented process that the selected engineer(s) or administrator(s) can use to immediately raise the visibility of the issue to the appropriate project, management, or change teams that can authorize necessary fixes or being a "fast-tracked" engineering process to determine an acceptable workaround in the environment that takes into account the risk of the potential threat.

Data Classification Assigned to the Hypervisor/Host Should be No Less than the Most Sensitive Guest

Given that the hypervisor micro-kernel has access to all data passing back and forth in streams from the host OS and guest VMs to the underlying hardware platforms, an implied corollary would then dictate that the data classification which is applied to the Hypervisor and Host OS should be no less sensitive in classification than that of the guest VM storing or using the most sensitive data.  If your hypervisor is compromised, even though the data being stored in storage partitions of the host OS may be seemingly trivial, it is critical to realize that the host OS has access to everything!  Not just its own loaded utilities and tools!  In cases of VMs which are using iSCSI LUNs for storage, you also have the consideration that the LUN itself is directly loaded on the host OS as a drive in order to make it available as a passed-through drive to the guest VM. 

This approach to using iSCSI LUNs means that the host OS and the hypervisor have the ability to obtain direct and complete access to all of the data stored on that LUN.

In enterprise environments subject to regulatory requirements, your system of documentation should indicate the sensitivity of the host OS for your Hyper-V server at the heightened state of sensitivity in order for your organization to respond appropriately in the case of a compromise.  Further, for security settings auditing purposes and ensuring that policy or application requirements for high sensitivity infrastructure is properly applied to your Hyper-V host machines.

Virtualization Enables More than Consolidation Savings!

Implementing Hyper-V to initially consolidate your environment drives a savings in the enterprise that goes beyond reducing the server count in the environment.  A security engineer examining the virtualization environment to be implemented in the environment needs to be aware of the available disaster recovery and business continuity benefits available in Hyper-V.  Designing the infrastructure to take advantage of System Center Virtual Machine Management 2008 as well as the backup possibilities available in the virtualized environment is best done during the initial design rather than attempting to return and retrofit these technology approaches into the environment, which was already established.

Hyper-V installations accompanied by System Center Virtual Machine Manager 2008 bring to the table the ability to apply high availability to the environment including virtualized clustering, V2V migration, as well as a suite of features to monitor performance and localized resource use.  There are several key applications for VMM in the environment, the first and most basic is using the performance monitoring capabilities to determine a baseline of the expectable range of resource use in the environment should be.  By establishing this baseline and then configuring alerts based on significant performance deviations, the administrator or engineer could detect when a Denial of Service, either purposeful or incidental to expected traffic, is in place that is preventing the function of one or more guest VMs in the environment.

The SCVMM product provides more than simply the ability to monitor performance and utilization in the environment, Virtual Machine Manager also provides the security administrator the ability to cluster virtual hosts so that in the case of a downtime event, virtual machines can be manually failed over to be brought up on another similarly configured host.  This approach provides something of a warm standby at all times in environments where there is a unified storage model such as that provided by a shared SAN.  Combining the ability of VMM to provide V2V and P2V migration in the current generation SCVMM product as well as the stated intention for the next version of SCVMM to provide live migration capability to the environment, provides a strong roadmap for security professionals and architects to build a consolidation environment that provides a roadmap for immediate and future improvements in reliability.

Snapshot as Practical Storage Considerations Allow

Hyper-V introduces the capability to take live snapshots of the state of the virtual machine at a point in time.  Similar to the mechanics of the snapshot process for a NetApp filer in a storage environment, the snapshot concept in Hyper-V extends the undo disks of Virtual PC and Virtual Server 2005 to provide the ability to capture multiple states and return to any of them according to the needs of the owning organization.   The engineer or architect for the consolidation environment should plan on the ability to host snapshots at least to be able to return to the state of the guest VM at the time of initial complete application configuration.  In development environments, snapshots provide the ability to return to a pre-change state relatively quickly when a developer is applying an unverified hotfix or software patch to the applications hosted on the guest VM.

When you start taking these kinds of snapshots, however, it is important to recognize that the storage the snapshot takes up is a consideration for which space must be allocated to utilize the snapshot capability.  The reliance on differencing between the virtual hard disk and the snapshot allows the snapshot to be significantly smaller than the size of the underlying VHD.  The drawback here is that differencing indicates that snapshot growth is based on the amount of change between snapshots and the underlying disk VHD which makes the exact amount of space to set aside difficult to estimate a baseline to plan for.

Applying SOA with Distributed Guests Can Provides More Security in a Virtual Environment

In Service Oriented Architecture, the components of the overall solution being developed can, and often do, exist on independent physical servers.  When consolidating the data center using a virtualization platform, these sometimes not-fully-utilized server instances are often an excellent target for virtualization.  Larger environments that involve a number of hosts provide the theoretical capacity to design additional security into the environment by partitioning the physical layer on which each layer of the service oriented architecture would be hosted.  In theory, if a single host were to host 3 tiers of a multi-tiered service-based application, if the underlying physical server were to be compromised (or the hypervisor residing thereon), all three guests are highly open to compromise and essentially would be assumed to potentially be compromised in short order.

In a larger Hyper-V based architecture, the engineer or architect can plan to distribute the tiers that comprise the entire application across multiple independent servers allows the architect to extend the modular approach to protect against the simultaneous compromise by, at minimum, partitioning the individual tiers onto different host platforms.  While the organization needs to be careful not to fall back into the anti-practice of attempting to establish security by obscurity, there is the potential for very real value from the segregation in this solution.  If one host, for example, could not apply a critical patch for some reason, and is subsequently compromised, the separated platform would mean that in our 3-tier example above, theoretically the other two tiers may not be compromised based on the design and architecture of the application being hosted.  This separation offers the potential ability to extend the overall security of the architecture slightly simply by being careful not to group all instances of application services in the physical space to be compromised.