VBOK #12 - RAM/Hacking NT ______________________________________________________________________ TOC 1. RAM 2. Security Issues 3. Software Review 4. Cool Sites 5. Nickel Knowledge If the columns in the below articles appear misaligned, it's because you are using a non-fixed width font. If you would like to see them nice and straight, change your E-mail font to Times New Roman. A personal note: Sorry to everyone who was confused in previous issues about the above statement. As it turns out, the misalignment was a cause of my e-mail client (Eudora Pro 4.0). I am using a new e-mail client (The Bat!) now, and the alignment is correct. So if you are still seeing messed up columns, then the above paragraph still applies to you. Thanks. ______________________________________________________________________ 1. RAM (Random Access Memory) ------ It used to be very simple when buying RAM. Not so anymore. Beside the plethora of new names and capabilities, only properly equipped motherboards can use the various types. So here is a breakdown of the most common types of RAM you will run across, as well as some other interesting information about it. RAM stands for Random Access Memory, that means that it should be able to find any data stored in it directly (without having to skip over lot's of other data). An example of non-random access would be an audio tape. If you wanted to hear song number four, you would have to fast forward over songs one, two and three. Contrast this with a random access device like a CD. If you want to hear song four, you go directly to the beginning of song four. Here's an interesting notion, if you think about it, even vinyl records (albums) were random access. There are two main types of RAM, they are DRAM and SRAM. I'll discuss SRAM in the section following DRAM. DRAM - Dynamic RAM ------ These are the most common, least expensive, and pretty much describe all RAM types with the exception of SRAM (see SRAM section). DRAM uses capacitors (generally 30-50 femtofarads) in the chip to store an electrical charge (if it has a charge, that's a 1, if there is no charge, it's a 0). This type of RAM is called Dynamic, because it needs to be refreshed (updated) constantly (it generally holds a charge for 1ms (one thousandth of a second)). Why?? Well, capacitors normally lose their charge over a period of time, and this is accelerated each time the CPU scans (polls) the memory for it's data. This poll checks for the storage of voltage across the capacitor, and the poll depletes quite a bit of the energy stored there. Therefore, it needs to replace this energy so that your one (1) doesn't become a zero (0). This type of RAM is also referred to as volatile RAM. Volatile RAM is RAM that loses all the information stored in it when power is removed. DIPP - Dual In-line Pin Package ------ This is the type of component you think of when someone says "chip". You used to have to install individual chips to populate a motherboard's RAM banks. There are DIPPs on SIMMs, SIPPs, and DIMMs. SIMM - Single In-line Memory Module ------ Sometimes referred to as stick RAM. It looks like a miniature peripheral card (meaning it has little finger contacts at the bottom), a little bigger than a stick of gum. They come in two main varieties, 30 pin and 72 pin. When physically looking at the stick, 30 pin has.. You guesses it, 30 finger contacts. 72 pin has 72, but an easier way to identify them without counting the contacts, is if the contacts are contiguous across the bottom, it's 30 pin. If there is a break in the contacts right in the middle, then it's 72 pin. 168 pin DIMMs also have a break in the finger contacts, but it looks quite a bit different than a 30 or 72 pin SIMM. SIMMs have a 32 bit data path (meaning it can provide the CPU with 32 bits of data at a time.) 486 motherboards had a 32 bit path, so that is why you could add memory one stick at a time. Pentiums have a 64 bit data path, therefore you have to build evenly (two sticks at a time). A stick of RAM at 32 bits X 2 gives you 64 bits for your data path. There's a type called double sided SIMMs, which are basically two single sticks stuck back to back, but you can only address one side at a time because they use the same control line. Now the double sidedness depends on how the chip is wired. Some single sided SIMMs have chips on both sides of the stick, but aren't actually double sided SIMMs. Looking at a SIMM, many times it's difficult to tell what type it is. so if you remember these *general* rules, you should be all right: - 1, 4 and 16MB 72 pin SIMMs are single sided. - 2, 8 and 32MB 72 pin SIMMs are double sided. To determine whether the SIMM is parity or not, these *general* rules will help. BTW, parity is usually referred to as x36 and non-parity as x32: - On 30 pin SIMMs, count the number of chips (DIPPs) on the stick. If it's 2 or 8, it's probably non-parity. 3 or 9, it's parity. - On 72 pin SIMMs, it's a little more difficult. Generally, if there are 4, 8, 16 or 32 chips, it's non-parity. SIPP - Single In-line Pin Package ------ These were a short lived configuration of RAM sticks. The were pretty much physically identical to the SIMMs, except that they had pins instead of the finger contacts. DIMM - Dual In-line Memory Module ------ These are the new type of RAM modules. 64 bit (upgrade one stick at a time for 64 bit bus systems), and they have 168 pins (finger contacts). HOW IT WORKS: Data is stored in cells, like the way a spreadsheet is laid out. You have data stored in a cell at a certain row and column. Memory is accessed like this too. There are two signals, RAS (Row Access Strobe) and CAS (Column Access Strobe). These two signals together (RAS is first, then CAS) determine which row and column to find a cell containing the data you want. There is actually quite a bit more going on, but for the purposes of this article, I'm not going to get too deep into that. I would like to go ahead and dispel a common misconception right up front. Many people believe that if you install faster RAM (a lower number is faster. i.e. 50ns is faster than 70ns) that you will see a performance increase. This is not true. If the speed of the RAM is faster than the CPU can access during it's polling cycle (bus speed), then the RAM sits idle until the next polling cycle. So the best option is to find out what your motherboard manufacturer recommends, and put that speed of RAM in. You can see the correlation of CPU speed in MHz to speed in ns below: Clock Cycle 25Mhz 40 nsec 33Mhz 30 nsec 50Mhz 20 nsec 66Mhz 15 nsec 100Mhz 10 nsec 200Mhz 5 nsec A ns or nanosecond, is a billionth of a second. This is the amount of time that it takes electricity to travel about one foot. Another point of interest, is that you can mix chips with different speeds, but the faster chips will only run as fast as the slowest chip installed. Some RAM pins are gold and others are tin/lead. Many people say you should buy RAM whose pins are made of the same type metal as your sockets, while others say that it isn't important. I haven't tested this to prove one way or another, but I do know that dissimilar metals will react and start corroding. The people who say it isn't important, believe that amount of time in which this will begin to happen will generally be longer than the life of the system. Personally, I collect legacy systems, so to me it will make a difference. Those of you who buy a new computer every couple of years will probably not have anything to worry about. DIFFERENT TYPES OF RAM: FPM DRAM - Fast Page Mode DRAM ------ An improvement over straight DRAM. It treats contiguous blocks of memory as pages. The premise behind this is that if a needed piece of data is pulled from a certain location from secondary storage, most likely the next piece you need will come right after the previous piece. Getting back to the RAS and CAS, another shortcut to speed up RAM was to initially use a RAS and CAS, and then each subsequent read only needed a CAS. Why? Well, because of the spreadsheet type layout (except that the information is stored sequentially horizontally) you are already on the right row, so to get the next piece of information, you only need to move over a column. - 60 to 70 ns - 30MHz Max bus speed, a standard Pentium has a 66MHz bus speed, so you can see how FPM DRAM is behind the power curve. EDO DRAM - Extended Data Out DRAM ------ EDO RAM is FPM RAM (They are architecturally the same) with exception to the buffering circuitry. The data coming off an EDO chip is valid longer than FPM RAM. This all has to do with timing and polling cycles from the CPU. The data is valid longer, so the CPU doesn't have to re-request the same data again, hence the extended data out name. ***NOTE: Many motherboards support both FPM and EDO SIMMs. Use one or the other, but do not mix them. - 45, 50, 60 and 70 ns - 10 to 15 percent faster than FPM DRAM - 66MHz bus speed maximum BEDO DRAM - Burst Extended Data Out DRAM ------ Think of this as a caching type system, except it's better. The CPU sends a burst to the RAM with requests for the data it needs. This burst contains four elements. The first element is a request for the data it needs now, and the next three are requests for data it will need next. This is better than caching, because the CPU knows exactly what data it will need next, as opposed to an educated guess performed by caching algorithms. - 66MHz bus speed maximum - Only supported by VIA 580UP, 590UP and 680UP chipsets. SDRAM - Synchronous DRAM ------ The RAM is synched to the system clock, and it allows for two pages of memory to be opened simultaneously. - 6, 7, 10 and 12 ns - 100MHz bus, but older SDRAM chips are limited to 60MHz bus. Ok, that covers the DRAM section. These are the chips that make up your system memory which is also referred to as your primary storage. The next section deals with RAM used for a different but similar purpose. SRAM - Static RAM ------ This type of RAM is common in that it is used in your L2 cache (I'll explain this in the next section). SRAM is also pretty expensive (compared to DRAM). Why is it so expensive? Because it's very fast. It's not as fast as your CPU, but it's way faster than DRAM. SRAM uses transistors to create bi-stable (capable of two states) circuits in the chip. Because voltage is only necessary when changing the state of the bi-stable circuitry (i.e. a one to a zero), it doesn't need to be refreshed. SRAM is also called NVRAM or Non-Volatile RAM (if you pull the chip out of its socket and lay it on the table, it still retains the information it had before you pulled it out). Generally SRAM operates at around 12ns. L2 Cache ------ L2 or Level 2 cache is RAM used specifically to hold data that was predicted by the caching algorithm to be needed next for processing in the the CPU. Because this is a prediction, there are two terms associated with it. Cache hit, and cache miss. There are also a couple of other terms, write through, and write back, but I'm still having problems understanding this fully, so I won't try to explain it. If any of you readers out there have a good handle on it, please hook me up with a good explanation. Cache is also used as the intermediary from the CPU to your DRAM. 256KB of L2 cache is needed for 64MB of DRAM, and 512KB of L2 cache is needed for 128MB DRAM. In Pentium II systems, the L2 cache is built into the processor assembly, and can handle the caching requirements for up to 2GB. Async SRAM - Asynchronous SRAM ------ Not in synch with the clock, so the CPU must sometimes wait to get the data it needs. Sync SRAM - Synchronous SRAM ------ In synch with the clock. - 8.5ns - 66MHz bus speed max. PB SRAM - Pipeline Burst SRAM ------ The data is collected into packets called bursts. It is not quite as fast as Synch SRAM, but it is much faster than Asynch SRAM. - 4, 5, 6 and 8ns - 75MHz bus speeds and up. That covers the SRAM section, now I'll move on to RAM used in graphics. VRAM - Video RAM ------ This and the next two types of RAM are used on graphics cards to take the load off of your system RAM. Video cards store pixel values of a graphical display. VRAM is dual ported (Two access ports, One to refresh the display and one to change the stored data for the next display.) This effectively doubles the bandwidth of DRAM and SRAM. WRAM - Windows RAM ------ Dual ported graphics only. It offers 25 percent higher overall performance over VRAM, plus it uses double buffering (several times faster than VRAM), and has faster refresh rates. It was developed by Matrox. SGRAM - Synchronous Graphics RAM ------ Single ported, dual bank (two memory pages open simultaneously, which almost matches dual ported.) It's good for 3D, due to block writes that speed up screen fills as well as fast memory clearing (3D requires very fast memory clearing. Around 30 to 40 times a second.) This type of RAM was developed by Micros. That covers the different types of RAM, so here are some companies and what types of RAM they make. Fujitsu Microelectronics SDRAM Hitachi America EDO DRAM, SRAM Hyundai Electronics America SDRAM, SGRAM, VRAM IBM Microelectronics SDRAM, VRAM Micron Technology EDO DRAM, SGRAM Mitsubishi Electronics America CDRAM, EDO RAM, 3D RAM, SDRAM Mosel Vitelic Burst DRAM NEC Electronics HPM DRAM, SDRAM, RDRAM OKI Semiconductor Burst/EDO DRAM, RDRAM, SDRAM OKI Semiconductor SGRAM, VRAM, WRAM Ramtron International EDRAM Samsung Semiconductor EDO DRAM, RDRAM, SDRAM, SGRAM Samsung Semiconductor VRAM, WRAM Texas Instruments EDO DRAM, SDRAM, VRAM Toshiba America Electronic Components SDRAM, RDRAM Just for information purposes, here are what RAM requirements systems generally needed. 386 Systems ------ - Older models took straight DRAM chips, but many of the newer models 30 pin SIMMs, some even used 72 pin SIMMs. - If the system used SIMMs, the 30 pin type had to be installed in full banks. This meant that to get 4MB of RAM, you had to install four 1MB SIMMs. - If it used 72 pin SIMMs they could be installed one at a time. i.e. to get 4MB, you installed one 4MB SIMM. - Normally required 70 or 80ns speeds. - Generally used parity. 486 Systems ------ - Used SIMMS 30 pin or 72 pin FPM. - 30 pin SIMMs were still installed in full banks. - 72 pin SIMMs could be installed one at a time. - 60 or 70ns speeds - Depending on the motherboard, you could use either parity or non-parity. Pentium, Pentium Pro, and Pentium II Systems ------ - Use 72 pin SIMMs or 168 pin DIMMs - ECC or Non-parity depending on the system, but usually non-parity EDO, FPM, or SDRAM - DIMMs are buffered or unbuffered but non-interchangeable. - 72 pin SIMMs are installed in pairs and DIMMs singly. - 50, 60 or 70ns speeds - Generally non-parity, but some motherboards could use ECC (Error Checking and Correcting.) Installing SIMMs ------ Every SIMM has a notch on one end of the stick at the bottom next to the pins. Make sure that this notch is on the same side as the SIMMs currently in your system. Slide the SIMM stick in at about a 45 degree angle making sure it sits completely in the slot. Now, tip the SIMM towards the metal clips on either side of the slot. You should feel them click into place as the stick comes into the upright position. Ensure that the stick is firmly seated in the slot fully (not half in and half out). ***NOTE Be careful of static discharge. You should ground yourself to the machine case (power off to the system). While remaining in contact (skin to metal) to install the SIMMs. I usually rest a forearm on the case side leaving my hands free as well as steadying them. Here are the configurations for banks and SIMM RAM sticks. Bank 0 Bank 1 Memory Size SIMM 1 SIMM 2 SIMM 3 SIMM 4 8MB 1MBx32/x36 1MBx32/x36 ------ ------ 16MB 2MBx32/x36 2MBx32/x36 ------ ------ 16MB 1MBx32/x36 1MBx32/x36 1MBx32/x36 1MBx32/x36 24MB 1MBx32/x36 1MBx32/x36 2MBx32/x36 2MBx32/x36 32MB 4MBx32/x36 4MBx32/x36 ------ ------ 32MB 2MBx32/x36 2MBx32/x36 2MBx32/x36 2MBx32/x36 40MB 1MBx32/x36 1MBx32/x36 4MBx32/x36 4MBx32/x36 48MB 2MBx32/x36 2MBx32/x36 4MBx32/x36 4MBx32/x36 64MB 8MBx32/x36 8MBx32/x36 ------ ------ 64MB 4MBx32/x36 4MBx32/x36 4MBx32/x36 4MBx32/x36 72MB 1MBx32/x36 1MBx32/x36 8MBx32/x36 8MBx32/x36 80MB 2MBx32/x36 2MBx32/x36 8MBx32/x36 8MBx32/x36 96MB 4MBx32/x36 4MBx32/x36 8MBx32/x36 8MBx32/x36 128MB 16MBx32/x36 16MBx32/x36 ------ ------ 128MB 8MBx32/x36 8MBx32/x36 8MBx32/x36 8MBx32/x36 136MB 1MBx32/x36 1MBx32/x36 16MBx32/x36 16MBx32/x36 144MB 2MBx32/x36 2MBx32/x36 16MBx32/x36 16MBx32/x36 160MB 4MBx32/x36 4MBx32/x36 16MBx32/x36 16MBx32/x36 192MB 8MBx32/x36 8MBx32/x36 16MBx32/x36 16MBx32/x36 256MB 16MBx32/x36 16MBx32/x36 16MBx32/x36 16MBx32/x36 256MB 32MBx32/x36 32MBx32/x36 ------ ------ 264MB 1MBx32/x36 1MBx32/x36 32MBx32/x36 32MBx32/x36 272MB 2MBx32/x36 2MBx32/x36 32MBx32/x36 32MBx32/x36 288MB 4MBx32/x36 4MBx32/x36 32MBx32/x36 32MBx32/x36 320MB 8MBx32/x36 8MBx32/x36 32MBx32/x36 32MBx32/x36 384MB 16MBx32/x36 16MBx32/x36 32MBx32/x36 32MBx32/x36 512MB 32MBx32/x36 32MBx32/x36 32MBx32/x36 32MBx32/x36 Ok, an explanation is in order for the math behind this. You see the numbers like 2x16x32, and you're probably wondering how this correlates. It works like this. The first number (2 in this case) is the number of physical SIMMs. Here's how you work the math: Take the last number (32 in this case, remember 32 is non-parity, and 36 is parity.) and divide by 8. This gives you 4 (In the case of 36, it is still 4, because the extra 4 bits are used for parity and not actual memory storage.) Now multiply the 4 by the middle number (16 in this case). This gives the result of 64. Now multiply this result by the first number (the number of physical SIMMs.) So, 64 x 2 is 128. This is the total capacity of of this particular RAM configuration. Let's try another: 4x32x32 32 / 8 = 4 4 x 32 = 128 128 x 4 = 512MB Cool huh. There is a lot more I could cover on this subject, but I think I'm going to quit now. Maybe I'll do some more on this subject in another newsletter. Stuff like waitstates, exactly how the RAS/CAS and signalling works etc... ______________________________________________________________________ 2. Security Issues by The NMI ------ Greetings, VBOK readers! The NMI here with this issues security section. The topic for this article will be windows NT security. I know all you MAC users reading this may be impatient for some actual MAC news, so let me just in form you now that the very next article will be on a MAC topic! (provided, of course, that I get off my butt and stop coding PC stuff long enough to learn more about MACs :) Anyway, on to the NT stuff. ****NOTE**** If you are involved with an NT network in any way, for instance, a system at your work place, you may want to take careful notice of the following information: Many system administrators frequently tout the security benefits of using Windows NT over a Unix or Win95/Win 3.11 type of setup, claiming that with the newer NT features, the Network is impenetrable. We hackers know different. There are quite a few vulnerabilities in the NT setup, and while some of these are, of course, due to lack of specific feature knowledge on the part of the technician setting up the NT system, there are certain intrinsic weaknesses, one of which I will discuss here. HOW IT WORKS: This particular vulnerability deals with how Win95/3.11 machines connect to a NT system (the server) Now, on most of the "NT" Networks that I've come across, Most if not all of the "client" (user) machines have been windows 95 systems, connected to the NT server over a LAN(local area network). The problem with this lies in the "authentication protocols", or how the NT system "talks" to the client to find out if the person trying to log on is an authorized user. When the networking client creates a new connection to an NT Server, it is possible for another computer on the same physical network to fool the client into sending a clear-text password to the NT Server. Normally, the password would be encrypted, but with a rather simple "cracking" program (see footnote), the client's now unencrypted password can be "read" by any other computer on that same network. When this "cracking" program is running, it scans the network for what are called "SMB negotiations" (what happens when the client is trying to connect to the server) and upon detecting one, the computer running the cracking software sends a single message, or "packet" to the client trying to log in, telling it to "downgrade" its connection attempt from sending an encrypted password to sending a plain text password - at which point the client complies by sending its password in plain text. Once this happens, the cracking program snatches up the easily viewable password as it is sent to the server, logs it to a file or just displays it on the screen of the person "snooping" the network. The client that was trying to log in will succeed in connecting to the NT machine, unaware that anything has happened, and the password is now there for the taking. WHAT YOU CAN DO: For starters, the patch to fix this WAS at Microsoft's web site, but guess what: They've removed their patch! This is what they've said: (URL follows) "The LM-FIX hotfix has been temporarily removed from distribution. During complete regression testing, we determined that under certain limited configuration there is a problem with this hotfix and certain DCOM features. We are investigating the extent of this interaction and will issue an updated hotfix as soon as its available." "Customers that have already deployed this hotfix do not need to remove if they are not seeing DCOM connection errors after installing this hotfix. We have had no customers actually report a problem to us, but rather this is a proactive step until we complete additional tests. Once these tests are complete, we will reissue this hotfix." this was taken from: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lm-fix/Readme.txt So what does all this junk mean? It means that until Microsoft decides it has a working version of this patch, your system will remain vulnerable to this type of attack!! WHAT YOU CAN REALLY DO: The best way to prevent this from happening is to keep careful tabs on the programs running on your network! You (or your system administrator) should have access to several methods of logging all programs run on your networked machines, and these logging methods should ALWAYS be enabled. Please keep in mind that computer security does not start at the password prompt - It depends on ACCESS to the computers, as well as the passwords. In situations where you can not effectively maintain control over physical access, the logging methods I discussed above should ensure that some method of tracing down when and where the offending program was executed. Ok, folks, good luck, and see you next issue! (Footnote: The program that does all this is called c2myazz.exe - and can be found at: http://www.technotronic.com/files/Microsoft/c2myazz.zip) Have Phun! The NMI ______________________________________________________________________ 3. Software Review ------ SciTech Display Doctor Graphics utility (PC) SciTech's Display Doctor (SDD) is a tool to help you attain maximum performance from your graphics card. Currently it supports over 250 different graphics chipsets, so unless you've home-built your card, SDD will be able to help you out. SDD will work out an optimal performance configuration for those of you not wanting to get into the nitty-gritty, but leaves all sorts of configurable options for the power user. ------ Sorry, I had to skimp this section because I was writing the RAM article. ______________________________________________________________________ 4. Cool Sites ------ 10 BIG myths about copyright explained It's actually eleven myths now, but the author didn't want to change the name. Ever wondered about copyrights, and how they protect you? I highly recommend reading this page. It's not in legalese jargon, just plain English, and it's not an overwhelming amount of information. The page is laid out in a question/answer form, and dispels quite a few untruths. ------ PC Magazine On-line -PC Tech This place is chock full of tech tips and tricks to help you out of those rough spots. There are also reviews of helpful software and web sites to cover what they didn't. ------ Annoyances.org Are you ticked off about some problem with your Microsoft software? Well, annoyances.org is here to help. Tons of info and tips. ------ The Newcomer's guide to PGP Have you ever heard of PGP, but didn't know what it was? This is the site to check out to get in the know. ------ Freedows No it isn't a food! This is a new operating system being developed under the GNU Public License. So what's it supposed to do? I'll get to that in a minute. What's more important, is that it will be FREE!!! Freedows is being built from the ground up by volunteers to replace multiple OS's. They say it will replace Win95, MAC OS, Linux etc.. You are even supposed to be able to customize it to look like your favorite OS. It should run all the applications from all these different OS's. There are a lot of "if's", because it hasn't been completed yet. There is a very small beta group, but you need to go to this site to read all about it. ______________________________________________________________________ 5. Nickel Knowledge ------ - The sun puts out 80,000 terrawatts of power. - 56 of all the species on Earth are insects. - Think RSA crypto is secure? Think again!! The RSA Data Security DES Challenge II crypto contest distributed net team cracked a 56 bit DES code in only 39 days. That's 72 quadrillion possible keys. Granted they had 22,000 participants with 50,000 CPUs working on the problem, but they think that with specially designed hardware, it can be cracked much, much faster. Well, that concludes this issue. Have fun. Leif Gregory Copyright (c) 1998 by Leif Gregory. All rights reserved. You may share this copy of the VBOK newsletter with others as long as it is reprinted/resent in it's entirety to include this copyright notice. If you've received this edition of the VBOK newsletter from a friend or colleague and wish to start receiving your own copies, then click the below link and send the generated e-mail message. Virtual Book Of Knowledge (VBOK) VBOK Editor VBOK Homepage Unsubscribe Back-Edition Titles