Flashing IT Firmware to the LSI SAS 9211-8i HBA, 2014 EFI Recipe

Many, many thanks go out to Bryan Vyhmeister and alpenwasser for their original writeups on this topic.

Disclaimer: Not my fault if you screw this up.

At this point, I think you’re in the minority if you don’t have the ability to boot an EFI shell, so this is a concise version of what I did to flash the LSI SAS 9211-8i HBA to Initiator Target (IT) mode for use with FreeNAS.

Ingredients

Directions

Format the USB Flash Drive. Use Rufus or the built-in Windows formatting tool if you want, but use MBR and FAT, and there’s no need to make a bootable disk since we’ll be using EFI.

Rufus 1.4.9.506_2014-07-09_15-19-38

Open the two zip files you downloaded and find the following three files and copy them to your USB drive:

  • sas2flash.efi
  • 2118it.bin (from the Firmware\HBA_9211_8i_IT folder)
  • mptsas2.rom

5126 (H_)_2014-07-09_15-21-48

Disconnect all the other drives and remove any extra controllers from your computer, leaving just the LSI card and plug in your USB drive.

Figure out how to boot an EFI shell and do it.

If it lists your drives, that’s great, otherwise type map to display what drives are detected, then type mount <yourdrive> to mount the drive. ie, I typed mount fs0.

type fs0: to switch to your mounted drive and ls or dir to verify that all your necessary files are there.

Now we flash!

sas2flash.efi -listall to show the controller and verify the current version.

sas2flash.efi -o -e 6 to erase the BIOS, do not reboot after this command.

sas2flash.efi -o -f 2118it.bin -b mptsas2.rom to write the new firmware and BIOS.

And finally, sas2flash.efi –listall once more to verify the updated card. Reboot and press Ctrl-C to get into the LSI BIOS and make sure you’re actually in Initiator Target (IT) mode.

Good luck!

Posted in System Administration | Tagged , , , , , , , , , | Leave a comment

SNMPv3 Configuration for Dell PowerConnect 3500 Series

So apparently SNMP should be secured. Disable write access if you don’t need it, and use SNMPv3 instead of the other versions.

I setup some ProCurve switches recently, and evilrouters.net had a great writeup on configuring SNMPv3. So configured me some ProCurve and went on my way.

Then came my Dell PowerConnect 3548P. I bought it before I decided to go with ProCurve for all the switches, but since it ain’t broke, let’s secure it.

Ideally, I’d configure it similar to the ProCurve switches, so that I can monitor it the same with Cacti and Spiceworks. I was able to map the ProCurve commands to PowerConnect speak for most of it, but I run into a spot where the Dell documentation is painfully unclear:

auth-sha-key sha-des-keys — Indicates the HMAC-SHA-96 authentication level. The user should enter a concatenated hexadecimal string of the SHA key (MSB) and the privacy key
(LSB). If authentication is only required, 20 bytes should be entered; if authentication and
privacy are required, 36 bytes should be entered. Each byte in the hexadecimal character
string is two hexadecimal digits. Each byte can be separated by a period or colon. (20 or 36 bytes)

Dell PowerConnect 3500 Series CLI Reference Guide, p354

In ProCurve land, I enter in plaintext passwords for both authentication and privacy, and it hashes that out for me, but here in the Dell universe, I haven’t the slightest idea how to make a key.

After a few hours of head scratching, here’s what I did.

You’ll need:

  • CLI access to your switch
  • A linux machine. I’m using Ubuntu Server.

Log into your switch and type:


enable
show snmp engine id

It’ll spit out an engineID. Make note of that ID.

On your linux machine, you’ll need to install the snmpkey utility. I did it with the following:


sudo apt-get install libnet-snmp-perl libcrypt-des-perl libdigest-hmac-perl

Then, run the following command to generate the mysterious keys:


snmpkey sha <auth_password> <engine_id> des <priv_password>

It should return an authKey and a privKey.

Back on your switch, move up to the config mode (type enable and config), then create a SNMPv3 group:


snmp-server group operatorauth v3 priv 

Then create the user and assigned it to that group:

snmp-server user snmpuser operatorauth auth-sha-key <authKey><privKey>

Make sure there’s no space between the authKey and the privKey. This will create a user named snmpuser. And you’re done!

If you’ve got snmpwalk installed on your linux server, test the connection with:


snmpwalk -v 3 -a SHA -A <auth_password> -u snmpuser -l authPriv -x DES -X <priv_password> <ip_of_switch>

With any luck, you should see a stream of OIDs.

If anyone has a smarter way to generate the keys, please let me know in the comments!

Posted in System Administration | Tagged , , , , , , , | 3 Responses

Static Devices on Remote Side of a SonicWALL Site-to-Site VPN? Remember to Renegotiate!

tl;dr If you are having trouble with devices that have static IPs on the remote side of your Sonicwall Site-to-Site VPN, go to VPN and click Renegotiate under the Currently Active VPN Tunnels.

We’ve got another warehouse with a site-to-site VPN setup using SonicWALL devices. It works decently enough for what we need.

While most of the workstations at the remote site get an IP from the DHCP server at the central site, some of the devices at the other warehouse have static IPs (printers, wireless APs, etc).

Defining these static IPs in the SonicWALL is pretty easy. On the remote gateway side, go to VPN –> DHCP over VPN –> Configure –> Devices Tab and enter the IP and MAC address of your static devices under Static Devices on LAN.

However, occasionally when adding another static IP, or when updating the firmware, or when it just feels like it, the routers will have trouble passing traffic from the central side to the remote side for just the static IPs. I’m using Nagios to report on the status of most of these devices, so it starts complaining fairly quickly that it can’t access them. Usually the remote side can still see those static devices, but for printers that connect back over the VPN to a printer server, this becomes a problem.

I used to think that just deleting all the static devices listed and re-adding them would work, but I had major problems with this today.

The workaround that seems to work for me now is simply going to the VPN settings page and clicking Renegotiate under the Currently Active VPN Tunnels section.

I don’t see anything like this written up on any of the SonicWALL support pages, so if anyone else runs into this weird situation, it’s worth a shot.

Posted in Software, System Administration | Tagged , , , , , , | Leave a comment

Extend Toner Life on Your Brother HL-2270DW By Enabling Toner Continue Mode

I’ve got a number of Brother HL-2270DW laser printers around the office, and they’re wonderful. I even have one at home. Wireless-capable with built in duplexing, and on sale the unit is under $100. What’s not to like?

Toner is fairly inexpensive too, but I like to squeeze as much of the life out of them as I can. By default, the toner life is strictly regulated by the page counter, and once the limit is reached, the printer stops until you replace the toner.

Enter the all important Toner Continue Mode. If the printer is networked, you can simply bring up the control panel by browsing to your printer’s IP in your browser. Click on Printer Settings (log in with username ‘admin’ and password ‘access’ if you haven’t changed the defaults) then make sure you set Replace Toner to Continue. Hit Submit at the bottom to save, and you’re set! You’ll be able to take the cartridge and shake it until you can’t shake it any more, just like the good ol’ days.

Brother HL-2270DW - Replace Toner

Important Note (12/20/2012): I just caught my error and updated the screenshot and post, but there’s a difference between the Continue Mode on the settings screen and the Replace Toner option. I think the Continue Mode will toggle the printer for recovering from a printer error, for example, after you unjam the printer. Replace Toner is the option you want to set, and isn’t available on all Brother printers. It’s super confusing because they call them the same thing…

I’ve found that after changing toner cartridges, this mode will often be reset, so you’ll need to remember to change it back when swapping cartridges.

The other method to set this is useful if your printer is in USB mode, directly connected to a computer. I just found out about this today. To quote Brother’s FAQ:

To enable Continue Mode, please follow the steps below:

Press the GO button 7 times (quickly). All of the LEDs should flash twice, and the Ready LED should turn on. Continue mode is now enabled.

To disable Continue Mode, please follow the steps below:

Press the GO button 7 times (quickly). All of the LEDs should flash once. Continue mode is now disabled.

I would assume this would also work for a networked printer, but it’s nice to know that this can also be set for a standalone one. There’s no setting in the driver to adjust this option, so here’s how to do it.

For more information:

Posted in Computer Fixin', Lifehacks, Software, System Administration | Tagged , , , , , | 1 Response

The Journey From MyFax to MetroFax

(edited 2012/09/20 to add some important caveats)

I’ve already established that MyFax is slowly going down the tubes. The following chronicles my experience switching to a new service.

After some research, I settled on MetroFax as my new internet faxing provider. They’re based just a few hours away from me in the beautiful Pacific Northwest, and don’t appear to be attached to any large corporate conglomerate of faxing companies. They’re a little cheaper too, which I can’t complain about.

Now, here’s the important thing to note: MetroFax doesn’t allow porting from MyFax numbers, because I believe they’ve historically had problems with MyFax releasing numbers. Go figure. They must’ve been burned pretty hard to not even bother trying anymore.

So how do you get to MetroFax without losing your number? The answer is NumberGarage.

An Important Caveat

As mentioned in the comments, you can only port a number out of MyFax that you originally ported in. Section 19 of the MyFax terms goes into the particulars on this, but essentially when signing up for their service they do not provide you with permanent access to the phone number if they assign it to you, and retain the right to take that number back and charge you money if you try to port it away.

MetroFax has a similar stipulation (see Limited License To Use; Limitation of Transfer Rights), so as much as I’ve been pleased with their service, this is something to keep in mind.

FaxLogic will actually allow you to port a number out that they’ve assigned to you, so if you don’t already have a faxing service and are thinking about starting out, this is a good option to consider.

(So no warranties here. Consider this an educational example of a possible process. I’m not liable if your experience is different that what’s documented here.)

Porting from MyFax to NumberGarage

Signup is painfully simple. Your account number is your fax number, after which you provide some contact information and carrier transfer info. There’s a $29.95 charge for the initial port, but for me that was better than losing the number or staying with MyFax.

You’ll also setup whether you want to park or forward your number. If you want interrupted faxing service, start up a trial account with MetroFax, and then set up forwarding in NumberGarage to forward to the number they assign you during the trial.

Providing a bill is the last step, and it’s a little tricky, as MyFax doesn’t provide you with a bill that shows your phone number. I ended up printing the bill, then taking a few screenshots highlighting my account number and phone number for verification, then zipping it all together and sending it as proof.

MyFaxCentral-User Administration Main Page - Google Chrome_2012-08-21_13-49-51-obfuscatedMyFaxCentral-User Profile Administration - Google Chrome_2012-08-21_13-50-37-obfuscated

You’ll receive an email after they confirm the port request, followed by a estimated porting date.

NumberGarage_before

Then you wait. And a few days later, success!

NumberGarage_after

Porting from NumberGarage to MetroFax

The process here is about as easy as the first port. Make sure you’ve converted from the trial to a full plan, then contact MetroFax’s porting department, and they’ll send you over a Letter of Agency/Authorization (LOA) document to fill out. NumberGarage gives you a PDF bill the instant you sign up for their service, so attach that to the email with the signed LOA, and that’s all you need! Note that there’s another porting fee here, but it’s the price of doing business, I guess.

MetroFax will confirm with you that you want to replace your temporary number with the ported one, and then you wait.

A few short days later, you’ll be greeted with a welcome email with your ported number, and you’re done!

Cleanup and Final Thoughts

Be sure to cancel your MyFax and NumberGarage services at this point, or they will both probably gladly keep charging your card for services you no longer need. You could probably cancel MyFax immediately after porting out to NumberGarage, but I figure waiting until the whole process is completed is a little safer.

Prior to finding out about NumberGarage, I did another port from MyFax to MetroFax through a VOIP provider, and while it worked just fine, the process was much more convoluted than using NumberGarage. I also considered having our phone provider handle the port. NumberGarage just worked, and was easy to use.

Let met know in the comments if you find another service that works for you, or if MetroFax is ever able to start porting directly from MyFax.

Good luck porting!

Posted in Software, System Administration | Tagged , , | 7 Responses

Gmvault: gmail backup (Ubuntu install and setup)

(edit 8/20/2012: Originally written for v1.5, this has been tested and works fine as of Gmvault v1.7-beta, so just change things accordingly and install away! I’ve updated the links below.)

I’ve been using getmail for over a year to backup my Gmail account. As far as I know, it’s been working, but it just grabs email over POP, dumps them into an mbox file, and that’s that. It’s a fairly basic procedure, but since it just blindly downloads emails, getmail doesn’t account for ones I’ve deleted, and I don’t know if it keeps any label information.

So along comes Gmvault, the new kid on the block with fancy restore features and multiple OS capability. Let’s give it a shot.

Python should be installed on a default Ubuntu machine, but let’s install a few other pre-requisites as well. I’m using Ubuntu 12.04 LTS (Precise Pangolin).

sudo apt-get install python python-setuptools
sudo easy_install -U distribute

Then download the source package for Gmvault:

wget https://github.com/downloads/gaubert/gmvault/gmvault-v1.7-beta-src.tar.gz

Unpack it:

tar xvzf gmvault-1.7-beta-src.tar.gz

Then install!

cd gmvault-1.7-beta/
sudo python setup.py install

The basic setup is about as simple as it comes:

gmvault sync your_email@gmail.com

The setup process will take you through an authentication process with your email account.

Since I ran the install on an Ubuntu headless server, it loaded the text-based w3m browser, which I was able to login to my account, but then was unable to approve Gmvault to access my email. Pressing ‘q’ quits the browser and you’ll be presented with with an OAuth link you can copy into a normal browser and authorize Gmvault that way. (Note: you can manage what apps can access your Google Account at any time)

Once Gmvault is given the okay, it’ll start churning away downloading emails. Give it a few minutes (or hours) to finish, and feel better knowing that your hoard of oh-so-important emails are now tucked away in yet another location.

There’s a few other parameters you can pass to the program, which will allow you to change the vault database location, provide a user/pass rather than the OAuth token, and to run custom synchronization of certain emails. Take a look at the in-depth documentation on Gmvault.

After running the initial sync, you can run the following command to run a quick sync (only the last 2 months are scanned):

gmvault sync --type quick your_email@gmail.com

Restoration of emails appears to be straightforward (although I haven’t tried it) and emails are stored in month folders as individual .eml.gz and .meta files. The gzipping appears to be fairly efficient, as the Gmvault database reports to be about 2/3rds the reported size of my Gmail inbox. Not bad at all!

Also–for the sake of completeness, a few days after I wrote this I found out about BaGoMa, which is another Python-based utility to backup your Gmail. Seems to follow a similar path as Gmvault, but I like Gmvault’s ability to use OAuth rather than have to provide my password each time.

So far, Gmvault appears to have a simple and easy to use product that fits my needs. Good work!

Posted in Software, System Administration | Tagged , , , , , , | 6 Responses

Ubuntu 12.04 + rkhunter 1.3.8 = false positives!

rkhunter (Rootkit Hunter) is a wonderful tool to assist in securing your system, but it becomes much less helpful if it constantly reports false positives.

After updating your rkhunter.conf file appropriately, you may still be left with the following error:

Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs’

This file can’t be whitelisted because it’s a symlink, and rkhunter 1.3.8 doesn’t check for this condition. The 1.4.0 release fixes this bug, but it’s not available from the Ubuntu repos. So you’ve got a few options.

  • Install rkhunter 1.4.0 manually.
  • Download the rkhunter 1.4.0 tarball and extract the executable and conf file yourself
  • Patch the rkhunter executable

I opted to patch the rkhunter executable, which really amounted to adding a few lines (one actual test case line + a few comments). Follow along!

Open up /usr/bin/rkhunter and move down to line 834. You should see the following:

Now, after line 846, you’ll want to add the following lines:

So it looks like this:

Save the file and then open up /etc/rkhunter.conf and add the following line:

ALLOWHIDDENFILE="/dev/.initramfs"

Save, and finally, update the rkhunter properties:

sudo rkhunter –-propupd

There you go! There are a few other items that need to be whitelisted in the conf, but they should all work with the rkhunter 1.3.8, so it’s just a matter of updating the file accordingly.

Thanks to reinhold and Tim Miller Dyck for the patch implementation information and unSpawn for the actual patch. Here’s hoping to see an actual backport fix into the Ubuntu repos.

More information:

 

Posted in System Administration | Tagged , , , , , | 4 Responses

Synergy and Text Expansion Programs on Windows 7? Don’t run as admin.

Synergy is great. And text expansion/replacement tools are great (ie, PhraseExpress or AutoHotKey). And Windows 7…well I guess it’s alright as well.

Synergy lets me share my mouse and keyboard between my Windows desktop, my Macbook, and even a linux machine (if I still ran one at work). It even synchronizes the clipboard betweeen screens. Great stuff.

PhraseExpress is my current favorite text expansion tool. I use it to insert my signature into emails and other places where I might repeatedly type something. And it’s free for personal use. I’d use TextExpander on my Mac, but I’m cheap.

Now here’s the problem: if you run Synergy (either 1.3.8 stable or 1.4.8 beta at the time of this writing) and install it to autostart on login, your text expansion tool will problem not work.  So just run it manually after you login, and you’ll be okay. The autostart process for Synergy requires administrative rights, and seems to interfere with the hooks that the text expansion tools need to work.

After switching to a new workstation, I installed my necessary programs including the ones listed above, and noticed that PhraseExpress didn’t work. I thought it was a problem with that specific program. I tried uninstalling and reinstalling and updating, and even tried AutoHotKey for a bit (which is great, but it’s

Until I come up with something smarter, I’ll just start Synergy manually when I restart my computer. That’s not the end of the world, and at least PhraseExpress will work.

So beware. Two great programs, but don’t run them as admin.

Posted in Lifehacks, System Administration | Tagged , , , , | 1 Response

Upgrading to NConf 1.3.0 on Ubuntu 11.10 Oneiric Ocelot

Congrats to the NConf crew for reaching the 1.3.0 milestone! Two years in the making, but I’m excited to see the project continuing to move forward.

It’s been over a year since I originally installed and configured Nagios and NConf 1.2.6 on my Lucid Lynx server. In the meantime, I’ve upgraded the hardware and moved to Ubuntu 11.10 Oneiric Ocelot, mostly to keep up with the current releases. Not a whole lot has changed for what I use this server for, but keeping up with the Nagios releases in the repos has been convenient.

If you’re following along with this guide but starting fresh with Nagios and Nconf, you’ll probably want to take a look at my previous guide and the NConf installation documentation to get some background information. I’ll try to provide some notes for those of you doing a fresh install, but since I’m just upgrading, I can’t make any promises.

Backups!

Log into your server and make them backups!

sudo cp -rp /var/www/nconf /var/www/nconf.bak
mysqldump -u root -p nconf > ~/nconf_sql.bak

I also backed up my Nagios configs

sudo cp -rp /etc/nagios3 /etc/nagios3.bak

Download and Unpack

Wget or otherwise download the latest version on Nconf. Wget has that issue with following SourceForge links so you may need to rename the file.

Unpack the files and then copy them to where you installed NConf before, or do it all in one step:

sudo tar xzvf nconf-1.3.0-0.tgz -C /var/www

Then fix the permissions for the NConf folder, setting them back to your apache user:

sudo chown -R www-data:www-data /var/www/nconf

Upgrade

Browse to http://<yourserver>/nconf/UPDATE.php

Follow the prompts to proceed with the interactive update. NConf’s documentation on the update process has screenshots that I won’t repost here.

After the upgrade, you’ll need to remove some files and folders. Browse to your NConf folder and nuke them. I also had to remove the call_ajax.php file, which wasn’t in the original documentation.

cd /var/www/nconf
sudo rm -rf INSTALL/ UPDATE/ INSTALL.php UPDATE.php call_ajax.php

There’s been a few changes/additions to the NConf conf file, so open up config/nconf.php and add the following lines:

define('CHECK_UPDATE', 1);
define("DEBUG_GENERATE", 3); # [1=ERROR|2=WARN|3=INFO|4=DEBUG|5=TRACE]
define('CHECK_STATIC_SYNTAX', 1);

Also, set the ALLOW_DEPLOYMENT variable to 1 to enable deploying configs directly from NConf and comment out the other CONF_DEPLOY_ variables, as they aren’t used anymore.

define('ALLOW_DEPLOYMENT', 1);
#define('CONF_DEPLOY_URL', "https://webserver.mydomain.com/incoming_config.php");
#define('CONF_DEPLOY_USER', "deployUser");
#define('CONF_DEPLOY_PWD', "deployPass");

At this point, you should be able to log into NConf 1.3.0 and look around.

Migrating Deployment

With NConf 1.2.6, I used the ADD-ONS/deploy_local.sh script and a cron job to deploy configuration changes to Nagios. In 1.3.0, they’ve integrated this a little better into the core of the application, but it required some adjustment in my setup.

Start off by coping the deployment.ini sample configuration file to the config folder:

sudo cp /var/www/nconf/config.orig/deployment.ini /var/www/nconf/config/deployment.ini

Open up the config/deployment.ini file, uncomment the LOCAL deployment section except for the [copy nagios.cfg] section and change the target_file variables to reference the nagios3 folder where Ubuntu places the config files.

Also, add the reload command (sudo /etc/init.d/nagios3 reload) at the bottom of the [copy global config] section. When you’re done the file will look similar to the following:

;; LOCAL deployment ;;

[extract config]
type = local
source_file = "/var/www/nconf/output/NagiosConfig.tgz"
target_file = "/tmp/"
action = extract

[copy collector config]
type = local
source_file = "/tmp/Default_collector/"
;target_file = "/etc/nagios/Default_collector/"
target_file = "/etc/nagios3/Default_collector/"
action = copy

[copy global config]
type = local
source_file = "/tmp/global/"
;target_file = "/etc/nagios/global/"
target_file = "/etc/nagios3/global/"
action = copy
; *** add the line below
reload_command = "sudo /etc/init.d/nagios3 reload"
; *** keep this section and the rest of the file commented out
;[copy nagios.cfg]
;type = local
;source_file = "/tmp/static_cfg/nagios.cfg"
;target_file = "/etc/nagios/nagios.cfg"
;action = copy
;reload_command = "sudo /etc/rc.d/init.d/nagios reload"

This process replaces the deploy_local.sh script, but we’ll need to allow the web user to issue the Nagios reload. To do that, we need to modify the sudoers file:

sudo visudo

Then add the following lines:

# Allow www-data (apache) user to reload nagios
www-data ALL=NOPASSWD: /etc/init.d/nagios3 reload

Save and quit.

Finally, remove the entry in the root crontab entry that launched the old deploy script:

sudo crontab -e

And remove the line reading:

* * * * * /var/www/nconf/ADD-ONS/deploy_local.sh

Deployment Testing and Cleanup

Let’s make sure the new deployment procedure works. Back in the NConf GUI, click Generate Nagios config. You should hopefully see something like:

[INFO]  Starting generate_config script
[INFO]  Generating global config files
[INFO]  Generating config for Nagios-collector 'Default Nagios'
[INFO]  Ended generate_config script

If the config files generate successfully, you’ll see a button aptly labeled ‘Deploy’.

Click Deploy, and with any luck you’ll be presented with three OK messages in NConf  and your Nagios Event Log should show a SIGHUP message.

Relax, and enjoy some JQuerified NConf 1.3.0 goodness! Gold star!

I did notice that the original deployment method left a bunch of old config tgz bundles, so if you’re feeling like cleaning those up, just remove the whole lot:

sudo rm /var/www/nconf/output/NagiosConfig.tgz.*

Update (6/25/12): You’ll want to remove the extended_host_info.cfg and extended_service_info.cfg files from your target config directory (/etc/nagios3/Default_collector/), or you might get weird problems trying to deploy later on. I just found this out six months later.

Troubleshooting Notes

  • The biggest problems I had were just remembering to reference nagios3 rather than nagios for paths and commands.  Make sure you reference the correct locations. This caused me all sorts of weird grief with the sudoers file, and I didn’t catch it until later.
  • While NConf will run without the additional variables in config/nconf.php, it’ll log warnings until you add them.
  • I had to remove an extra file (call_ajax.php) before NConf would run. The file has been replaced with call_file.php which apparently fixes a security issue. At the time of this writing, removing this file wasn’t in the docs, but it complains until you nuke it.

Fresh Install of Nagios and NConf

From what I can tell, you can follow all the steps in my old guide for installing 1.3.0 up until you get to Configuring NConf to Deploy Nagios Configurations Automatically. At that point, follow the Migrating Deployment instructions from this guide.

Please leave a comment and let me know if you do a fresh install. I’d be curious to know how it works for you.

More Information

 (edit 6/25/12 to add additional file cleanup instructions)

 

Posted in Software, System Administration | Tagged , , , , , , , | 13 Responses

Rain-X Makes Ice and Snow Scraping Easier!

So this was a pleasantly random but surprising find:

Applying Rain-X to your windshield during the fall and winter months will make scraping snow and ice much easier!

Rain-X, for the uninformed, is the mystery window treatment that makes water bead up on the windshield, and will virtually slide up and off the windshield when driving 35+ mph. Apply it during the afternoon during a dry fall or winter day, preferably after cleaning the windshield. Be sure to treat the rear window, your side windows (at least the front ones) and don’t forget the side mirrors.

If you’d like to really see what a difference it makes, don’t treat the back side windows. Then just wait for a frosty morning.

On a related note, buy yourself a Fantastic Ice Scraper. $2 for a great scraper with a brass blade. If you want more info, see the Cool Tools review. Buy them as stocking stuffers for your family!

Posted in Lifehacks | Tagged , , , , , | Leave a comment