2007/12/17

funs with zdump

Want to find the current time of places in other zone ? zdump is the answer.

# zdump Japan
Japan Mon Dec 17 11:31:55 2007 JST

If the place contains two words like San Francisco, New Zealand etc, an underscore is to be inserted in between

#zdump New_Zealand
New_Zealand Mon Dec 17 02:33:58 2007 New_Zealand

This is quite a handy and helpful tool.

2007/12/13

Microsoft DNS Server

Infobox has completed the third annual survey on the global DNS services. There are 11.7 million DNS servers running on the Internet. Only less than 3 % are running on Microsoft DNS Server.

The reason is that Microsoft DNS Sever lacks many important security features such as IP address-based control on queries and dynamic updates of zone records.

I would advise Microsoft to stop bundling DNS Server in Windows 2003 server packages.

2007/12/10

Body Combat 34

Body Combat 34 真的帶比我不小驚喜,所用上的氣力要比平常高四成以上。在這個 Release, 所有集中力都是全新的踢法。我從沒有想像過 jump kick 可以加過 Ginga,大厲害了. Track 6 將會是最受歡迎,何解 ? 270 度的踢腳法 (1 sidekick, 1 frontkick + 1 back kick)真的很勁.

Body Combat 34 的來臨還帶給我另一喜訊,那就是終於都不用再練習 evasive sidekick了。

2007/11/15

Change of IP Address for L root nameserver

How many system administrators perform checking of IP addresses of the 13 root nameservers if they have DNS running. At least this should be checked on an annual basis.

I have Bind installed in several Linux box and yet the named.ca file is dated back to Jan 29, 2004. It is now 2007 but can you imagine there will no be change in IP addresses of the root nameservers. No, the latest named.ca has a date stamp of 1 Nov 2007. On further comparison, the IP address of L root name server is altered :


. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42

Instead of downloading the new file, it will be easier to type the correct IP address in the appropriate position in that file.

2007/11/13

How big a tar file can be

For those that need to use tar for tape backup, a generic question that they will ask is how big a tar file can be ? According to some online research, for Kernel version higher than 2.4.0 supporting Large File System, the maximum size of a tar file is 2TB. I think this is big enough for any enterprise backup applications. If I have a tape drive supporting 400 GB per tape, I will have to use 5 tapes.

Can we have such powerful backup tool in Windows OS ? Probably not.....

2007/10/04

Port 3306 mysql probe

I found a large number of failed connection attempts to port 3306 of my FC7 server. This port is for external hosts connect to mysqld. Since I do not open mysqld for connection by other hosts, leaving this port opens is a bad vulnerability otherwise bad guys can proble mysqld root password.

Closing port 3306 can be done by amending the mysql config file. This is too complicated. I just use iptables to get this job easily done.

2007/09/25

舊電話線

這是個非常抵死及針對性的電視廣告 :

你所選用既最大網絡商,仲用緊舊電話線做寬頻。係呀,舊電話線呀。



再看眾多的電影人物在狹窄管道後面等候進入,實在令人棒腹大笑。

2007/09/24

dd and netcat coming together

"dd" coupled with "netcat" can allow cloning an entire hard disk to another server/PC on Intranet or Internet as binary image for forensics analysis.

This is really useful and avoid the need to open the PC case to dismantle the hard disk for the binary image replication:


Forensics(192.168.1.7)% nc -l 37337 | dd of=/dev/hda

Evidence% dd if=/dev/hdb | nc 192.168.1.7 37337

2007/09/08

港島區立法局空缺補選

不要再作猜想了,我相信葉劉淑儀參選一定能穩操勝卷。何解,以她的知名度及行政經驗,加上中方陣營及民建聯全力支持,泛民主派還有誰可匹敵。到現時,論名氣,只有陳方安生可對衡,但陳方安生不屬任何民主黨派,以她打正泛民旗號一定引起內鬨。單看泛民遲遲未定出人選,也可肯定他們的選舉氣勢已是一敗塗地了。

2007/09/05

Protecting brute force attack on dovecot by fail2ban

Some bad guys tried thousand times to guess pop user account and password. I decided that brute force attacks on dovecot should be banned similar as what I had done on vsftpd. To start up the protection, the following lines are added in /etc/fail2ban/jail.conf

[pop-iptables]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
filter = pop
action = iptables[name=pop, port=pop, protocol=tcp]
sendmail-whois[name=pop, dest=root]
logpath = /var/log/secure
maxretry = 5

Fail2ban reported a failure on fail2ban-pop chain. The mistake was that there is no a port called pop in /etc/services. The correct name of the port should be pop3 instead of pop. What a careless mistake I had made. After revising as follows, fail2ban started successfully and attacks on dovecot were tested successfully banned :

[pop3-iptables]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
filter = pop3
action = iptables[name=pop3, port=pop3, protocol=tcp]
sendmail-whois[name=pop3, dest=root]
logpath = /var/log/secure
maxretry = 5

2007/08/30

Fedora Core 7 Kernel Bug

I noticed some kernel bugs in Fedora Core 7 which appear shortly after booting up.
The error log is like this :

BUG: warning at kernel/softirq.c:138/local_bh_enable() (Not tainted)
[] local_bh_enable+0x45/0x92
[] cond_resched_softirq+0x2c/0x42
[] release_sock+0x4f/0x9d
[] tcp_sendmsg+0x90b/0x9f9
[] dput+0x31/0xf7
[] inet_sendmsg+0x3b/0x45
[] sock_aio_write+0xf6/0x102
[] do_sync_write+0xc7/0x10a
[] autoremove_wake_function+0x0/0x35
[] sys_lstat64+0x1e/0x23
[] vfs_write+0xbc/0x154
[] sys_write+0x41/0x67
[] syscall_call+0x7/0xb
=======================

Other than getting an error message, I did not notice any abnormalies or application crash afterward. Just leave them for the time being until RedHat and Fedora Core issue a workaround solution or patches.

2007/08/29

Reciprocal Recognition Agreement (RRA) between HKIE and IET

I have been informed by IET that HKIE does not recognize the status of IET members when IET members in Hong Kong wish to apply for HKIE membership. The applications of our IET members are subject to a review which may comprise any or all of the following :


(a) Submission of a training and experience report
(b) Interview
(c) Essay test
(d) Submission of record of continuing professional development

We are further informed that HKIE has the discretion to determine on the extent and scope of the review.

I am sure there are a large number of engineers in Hong Kong who wish to have dual membership of IET and HKIE. As a corporate member of IET, I feel frustrated to see the unnecessary restrictions/procedures imposed by HKIE. I would say that HKIE has done something detrimental to the status and professional development of all working engineers in Hong Kong.

2007/08/25

Le Tour De California

I joined the 3-hour marathon cycling class at Causeway Bay California Fitness Centre today. The event was called Le Tour De California. Certainly, this name was derived from Le Tour De France which is the best-known cycling race in the world lasting for 22 day long, 20 stage road race covering more than 3000km.

I was on the waiting list so I did not have a formal attendance certificate despite completing the challenge. Hey, it doesn’t matter. What I wanted to do is to participate in a marathon cycling challenge class with a large group of people. This is my second time. I will join again next year.

2007/08/23

JAlbum

The first web album software that I used was Album GV1.7 dated back to 2001. Album GV1.7 stayed with me for over 5 years until I switched to web album generator. Web album generator is good, easy to use but lacks of beautiful skins.

I have now moved to JAlbum. There are tens of colorful skins for me to use. Moreover, photos can be accompanied with text and comments. I think JAlbum is the best web album I have ever used.

2007/08/18

spam statistics

I found that I marked down some spam statistics, but forgot from which sites. Quite interseting figures :

1. The average PC user receives over 2,000 and counting spammed emails per year.
2. The average computer user receives about 10 spams per day.
3. Spam is expected to increase by about 63% in 2007.
4. About 28% of people answer spam emails.
5. 15-20% of corporate email is spam and it is ever-growing.
6. 25% of spam is product-related.
7. About 90 billion spam emails are sent per day.
8. Nearly 80% of spam emails are sent from zombie networks or botnets.
9. China has the highest rate of spamvertized websites.
10. 63% of take my email off your list are not fulfilled.
11. 86% of emails posted on websites end up receiving spam.

2007/08/07

2GB file limit

I find that there is a limit of 2GB on the size of file to be listed in a web directory if directory listing is enable in the web server settings. If a file is bigger than 2GB, it can not be shown in the directory through http access. I guess this is the reason why Fedora Core and Centos mirror sites which distribute DVD iso images can only be accessed by FTP. As far s I know, this problem will not be overcome in the coming new releases of Apache.

2007/08/05

夏天坐的士

不要以為夏天坐的士一定比坐巴士或小巴舒服。何解 ?

正午時份,的士的前後排坐位都受到猛烈陽光正面照射,正因為車箱細小而令所吸收的熱力聚集,縱使是泠氣車亦不能有效地降溫。巴士及小巴沒有這問題,而現時的泠氣巴士及小巴,每個乘客坐位處都有出風位,比起的士的出風位在前排位置,實在涼快及舒服得多。

2007/08/03

Generating 10 million numbers

I need to have a text file containing 10 million sequential numbers. This is the script I use :

#!/bin/bash
for i in {20000000..29999999};
do
echo $i >> numbers;
done

On a P4 3GHz machine, how much time is needed to generate such huge numbers ?

The answer is 53 minutes.

2007/07/17

Upgrade from FC4 to FC7

I had one server that needed to be upgraded from FC4 to FC7. I did the DVD upgrade version by version, that is FC4 > FC5, then FC5 > FC6 followed by FC6 > FC7.

At FC5, sendmail failed to start due to some changes in shared objects. This could be remedied by "yum install sendmail". Another process failed was httpd. As I still had serveral upgrades to continue, I decided not to fix this yet.

The upgrades from FC5 > FC6 > FC7 were smooth and easy. Orginally, in FC4, my httpd was running static page with no php and other added modules. At FC7, when httpd start, the first error was :

Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 10 of /etc/httpd/conf.d/perl.conf: API module structure `perl_module' in file /etc/httpd/modules/mod_perl.so is garbled - perhaps this is not an Apache module DSO?

I figured out this could be solved by yum install mod_perl.

Afterward, another failure appeared :

Syntax error on line 6 of /etc/httpd/conf.d/php.conf:
Cannot load /etc/httpd/modules/libphp5.so into server: /usr/lib/libcurl.so.3

This could be due to lack of php. The working solution was yum install php.

Just when I though problems had been cleared, another one came up :

Cannot load /etc/httpd/modules/mod_python.so into server: /etc/httpd/modules/mod_python.so:

The error actually prompted me to do a "yum install mod_python".

The last error was as follows :

Cannot load /etc/httpd/modules/mod_ssl.so into server: /etc/httpd/modules/mod_ssl.so: cannot open shared object file: No such file or directory.

This said I had to found mod_ssl to Apache. I did a yum install mod_ssl.

Finally, httpd 2.2.4 started running on FC7. The whole fault-finding process was full of pain.

2007/07/15

My First Touch on Shorewall

Last week, I performed installation and configuration of Shorewall on Fedora Core 6. I made a host-based firewall and some people called it a one-interface firewall. No difficulties encountered and the documentation gave sufficient details for me to understand.

I try to compare FC6's default installed iptable-based firewall functions with Shorewall. For stateful packet inspection of incoming packets, both are more or less the same. However, Shorewall offers additional functions of whitelists, blacklists and limiting the rates of incoming packets. There is no doubt that Shorewall is a perfect choice for people who find it difficult to learn and write some iptables scripts.

2007/07/10

An Old Unix Proverb

An Old Unix Proverb

"He who has never hacked sendmail.cf has no soul;

he who has hacked sendmail.cf more than once has no brain."

2007/07/08

zen.spamhaus.org


Spamhaus has combined the SBL, XBL and the PBL blocklist into one single powerful and comprehensive DNSBL called zen blocklist to make querying faster and simpler. As advised by Spamhaus, I have changing the settings in my server to query zen instead of SBL and XBL.

There is an interesting story on the name "Zen". Zen was guard dog and for many years it guarded Spamhaus's base in England. After giving the name to the most powerful DNSBL, Zen now guards our networks and customers.

2007/07/07

FTP test

I connected to an FTP Server and uploaded all files in a directory by means of mget *.*. Which file will be uploaded first. At first, I thought the file upload sequence would be in alphabetical order of file names. This is wrong. The upload sequence was in accordance with date and time of the files.

This is an interesting fact re-discovered. I should have learnt this some time ago.

2007/07/02

Fail2ban

Every system administrator is sick of brute force attacks on sshd and ftp daemons. There could be hundreds of thousands attempts to login by random names and guessing passwords. Changing the default listening port numbers will not help as nmap can scan and pinpoint a particular service on an alien port.

This is what I had suffered in the past 5 years. With the help of fail2ban, it is time to say no to brute force attacks. Fail2ban takes out offending IP addresses from system log files and passes them to iptables for denying further access. Here is my fail2ban log after detecting 5 attempts of ftp brute force attacks and then initiating the banning of the IP address.

2007-07-02 20:07:28,345 WARNING: Restoring firewall rules...
2007-07-02 20:08:13,773 WARNING: vsFTPD: Ban 219.77.22.254
2007-07-02 20:18:14,735 WARNING: vsFTPD: Unban 219.77.22.254

The default config bans an offending IP address for 600 seconds and then release it. System administrators can change the config to ban the offending IP addresses permanently.

This is one of the security tools highly recommended by me.

2007/06/08

xargs rm

I have hundreds of thousands files in a directory starting with dfk*. When I try to remove them by "rm -f dfk*", the returned error prompt is "/bin/rm: Argument list too long". This says using wildcard syntax, there is an upper limit on the number of files that can be deleted by rm at one time.

My workaround solution is to perform "xargs rm" in the following way:

#find . -name 'dfk*' | xargs rm

The result is surprising. It works like a script to issue a command line to remove individual file one by one.

2007/05/19

BC32

I tried two classes of BC 32 today. As ususal, I expected some ginga moves in the warm-up track and a lot of evasive sidekick in track4. This time, movement in track 4 is a bit messy. I can not manage the combination of ginga, evasive sidekick and front kick on alternate leg. I recalled that in track 4 of BC31, we were required to mix ginga , evasive sidekick and jump kick and yet we did not have any problem. How come this time it seems more difficult ?

The recovery track, Muay Thai track and the last power tracks in BC 32 are a bit short, not more than 4 minutes. I did not make enough sweat. I love track 8 in BC31 (Back to UK) which lasts for over 6 minutes.

I expect the evasive sidekick in BC33 will be more difficult to learn. Lets pay more attention to this release. If we can not manage the movement in this release, we might not be able to make a step forward in advance moves in coming releases.

2007/05/17

New CISSP Requirements

The current requirements for obtaining CISSP credential will be more demanding with effect from Oct 2007. This is good since it will boost the reputation of the title.

The minimum professional experience requirement for CISSP certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.

Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification – CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.

2007/05/14

Single iTune software to support multiple ipod players

This is a real situation of using ipod and itune encountered by me. I have 2 ipod players and only one PC with iTunes software installed. If I plug the first ipod player by USB, all the playlist and music in iTune will be syncrhorniozed. However, I can not perform editing of playlists or adding music for the 2nd ipod player because the iTune playlists and music contents will be transferred out resulting in corruption of all contents in the 2nd ipod player.

There is no mention on ipod user manual how a user can handle mutiple ipod players with a single iTunes software. I have renamed the default iTune music library database into something else and copy it to another set of music library database. The second database can be called upon by iTune and this enables me to have two sets of ipod contents within a single iTunes software.

2007/05/02

How to set up a backup mail server

For some time, I wanted to find out how ISPs set up a backup mail server for serving many corporate accounts together. The logic is that if a company has its primary server failed, the incoming email will be queued up at the backup mail sever of an ISP by means of the following typical MX records:

xyz.com IN MX 10 mail.xyz.com.
xyz.com IN MX 20 relay.isp.com.

The trick is how to configure relay.isp.com as a backup mail server . It is really not too difficult if one has a fairly good background of mail relay. Just configure an ordinary Sendmail Server which acts as a relay host for the email destined to domain xyz.com in /etc/access. Since when the primary server ecncounters a failure, it might take several hours to resume to normal. The retry interval of the queued mail shall be set longer, say several hours.

I have tried to use two mail servers one backing up the other and the tricks above really work.

2007/05/01

Wireshark to replace Ethereal

Due to trade mark issues, the software Ethereal has been changed to a new name called Wireshark (http://www.wireshark.org).

I find a lot of enhancements in Wireshark. The most obvious is that thee is no need to stop capturing if one wishes to analyse the packets. In installation, Winpcap 4.0 library is required. No need to worry, the installation program of Wireshark will remove previous version of Winpcap 3.0.

For those who are still using Ethereal, it is time to shift to Wireshark.

2007/04/29

煤氣公司明火煮食廣告


數天前在網誌談及 ING 莫史迪廣告乃失敗之作,今天在電視上看見高水準的煤氣公司明火煮食廣告。片中找來了一班精靈服從的小狗大展奇技,生動活潑,畫面精彩絕倫。這真是難得的高水準制作,我敢打賭這套廣告必能拿到獎項。

2007/04/28

Domain Name Bypass

If one types the IP address assigned to a web server, a default web page should be displayed. I have the idea that a web server which returns a page without the incoming connection passing the domain name might be a security risk, or gives rise to malicious activities. One can easily tell that this is simply web access with domain name bypass. I have seen quite a few web sites which do not allow domain name bypass. One example is www.netvigator.com (IP address 218.102.21.228). If I give http://218.102.21.228/ on my web browser, the remote server return "forbidden access".

Having said that, I am interested to find out how to configure a web server to avoid domain name bypass. Is there anything to do with with VirtualHost Directive ?

2007/04/27

Two anti-virus software on a single PC

A couple of days ago I asked an IT friend about why two anti-virus software packages could not be installed in a PC. The answer given to me was that each anti-virus software has some codes resident in memory to protect the kernel and important system files. If two anit-software packages are there, they will clash with each other. This is very much like the case of not allowing two DHCP Servers on a single network segment. I believe the answer really makes logical and technical sense.

2007/04/25

無敵金剛莫史迪

最近ING 新推出的一套電視廣告,利用70年代「無敵金剛」主角莫史迪作宣傳題材。直覺上我相信這個廣告將會是失敗之作,因為沒有多少人還會記起這位33年前的莫史迪。如果要找英雄人物作廣告題材,應該選一些不會被時間所淹沒的,例如蝙蝠俠、蜘蛛俠及超人。

2007/04/20

WOT plugin for Firefox

WOT plugin is very interesting and perhaps useful. There are many web sites for spreading malware and malicious codes. WOT has a list of dangerous and suspicious web sites based on reputation and the reputation is derived from submissions from volunteers.

I came across a web site believed to be spreading malware. WOT plugin warned me right the way.

2007/04/18

Presenting Proper Language Versions of Web Pages to Visitors

Web sites such as www.trendmicro.com and www.blogger.com are built with intelligence to pre-select the languages for display to visitors. If I use English version of IE, the pages are in English text. However, if I use Chinese Version of Firefox, pages in Chinese text are returned. I think this is by means of a front end little Javascript to perform a browser language redirect.

Other than browser language detection, another means is GeoIP database. If the GeoIP detects that a visitor'S IP address is one from China, web pages in simplified Chinese version should be invoked.

2007/04/14

200 Mbps residential broadband service

Hong Kong Broadband Network (HKBN) recently introduced 200 Mbps symmetrical broadband service to home users. Actually, the broadband services of HKBN is divided into 10M, 25M, 50M, 100M, 200M and 1000M. I don't think there is a need to divide into some many transmission speed levels. 10M, 100M and 1000M would be more logical steps.

One question I have about 200M service is that Ethernent cards work with 100M and most home PCs are not equipped with a gigabit network card. If a user wants to enjoy 200M broadband service, my logical thinking is that he/she has to buy a gigabit ethernet card.

Intuitively, I don't think users can perceive the difference between 100M and 200M in normal web browsing and email activities. If the broadband connection is used for BT and other bandwidth demanding applications, then it would be a different consideration.

2007/04/12

Error in Webalizer

Webalizer is a free software for monitoring web traffic and it can compute hit rates and the number of times individual URLs are accessed by reading the httpd log file. After succesful installation, the first time I run webalizer, there was an error message which said :

"Error: Skipping oversized log record"

On checking the httpd log, there is one long line logged as :

"202.81.182.233 - - [07/Apr/2007:13:15:39 +0800] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9x\
c9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9.....

This is a worm sending extreme long code targetted at IIS web server. After deleting the long line, everything worked normally. Even if I did not delete the long line, webalizer would simply ignore it.

2007/04/10

Telnet server

By means of yum, I installed telnet server, but I forgot how to start it. Hopefully, I recall that telnet daemon is controlled by xinetd. Just run
/etc/rc.d/init.d/xinetd start

will put telnet daemon in service. Of course, it is necessary to tell xinetd that telnet should be enable by "chkconfig" or direct edit /etc/xinetd.d/telnet.

One more trick I made is to change the default port 23 of telnet to other alien port number. This is done by editing /etc/services.

2007/04/09

Reverse lookup error

I found the following in my server logs :

gethostby*.getanswer: asked for "7.212.72.222.in-addr.arpa IN PTR", got type "A"
gethostby*.getanswer: asked for "138.0.68.222.in-addr.arpa IN PTR", got type "A"
gethostby*.getanswer: asked for "5.64.72.222.in-addr.arpa IN PTR", got type "A"
gethostby*.getanswer: asked for "148.48.69.222.in-addr.arpa IN PTR", got type "A"

It seems that when doing a reverse lookup, the server expected resouce record to be PTR. However, the system administrator make mistake to specify an A record, causing reverse lookup failure. As far as I can recall, reverse lookup failure might deny email and ftp services. It would be nice if some one can alert the system administrator to report the error.

2007/04/08

Browsers supporting International Domain Names

I know for some time that both IE 7.0 and Firefox 2.0 can support International Domain Names (IDN). However, I can not think of any web sites operated by Chinese domain names that can help me to verify this functionality. Until recently, I noticed the domain name http://雅虎中國.cn/ is activated. Yes, by browsing 雅虎中國.cn, it is proved that both IE7.0 and Firefox 2.0 can handling the DNS resolution of IDN. Together with Opera, the three most popular web browsers in the world are capable of handling IDN.

A logical question comes to my mind. Can Safari of Apple do the same ?

2007/04/05

HTTP Error Code 403.4

If I type http://www.zurichlifeinternational.com/, the web server has intelligence to return a page which tells me that the web site must be accessed by SSL and a preceding https should be before the web address.



Some people might say it is a clever setting and some might say why bother, just redirect to access the same address by https. I tend to support the latter. For the former, I think it has something to do with redirecting to an alert page upon detecting error code 403.4. Just don't know if this is easy to configure in the server side ?

2007/04/03

小事看待

內地遊客購物被騙事件,中聯辦副主任李剛勸喻不可當小事看待。

十三億人民一齊收看行騙過程及手法,這當然不會是小事。還有,特區政府要挽救香港是購物天堂的聲譽,這也不會是小事。

2007/04/02

E-Bill

My mobile service provider charged me HK$10 per month for the delivery of printed monthly bill by post. Quite unfair to subscribers since this practice has been in use for many years and no charge was imposed in the past. My subscription plan is HK$58 per month covering 500 minutes air time. The HK$10 surcharge will be equivalent to another 100 minutes air time. It leaves me no choice but to drop the billing by post and revert to billing by Email which in short just simply called as E-Bill.

2007/03/23

Google Currency Converter

Do you believe Google search engine can function as a currency converter ? If not, look at what I can do in the screen capture below:

2007/03/22

TCPview used as a forensics tool


I have used TCPview for over 2 years. Yet I have not realized that it is a forensics tool in Windows system forensics especially in an online environment. The reason is that it tells which ports are opened,established and the remote IP addresses connecting to different ports. The most important information is that it gives which programs are using which ports. This helps to identify the existence of back-door or Trojan horses in online Windows servers.

Surprise, Microsoft TechNet recommends the use of TCPview in conjunction with netstat:
(http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx)

2007/03/20

Disclosing Bind Version Number

I have two servers running Bind 9.3.1 and unfortunately bad guys can use the following to check the version number:

$dig @nameserver version.bind txt chaos
;; ANSWER SECTION:
VERSION.BIND. 0 CH TXT "9.3.1"

This is a security risk as hackers can check if the version in use contain buffer overflow vulnerabilities.

A simple work-around remedy is to insert the following in /var/named/chroot/etc/named.conf :

options {
version "Not disclosed";
}

Upon the same query, the answer returned is :
;; ANSWER SECTION:
VERSION.BIND. 0 CH TXT "Not disclosed"

I recommend system administrators to do the same for security sake.

2007/03/19

CPU Temperature

Can CPU fry an egg ? The answer is yes. In this picture, a guy tried to fold aluminium foil to make a tray and then used copper coins as heat conductor in between the CPU surface and the tray. Within 11 minutes, the egg was readily fried. This demonstration is quite meaningful and it let people know how horrible a CPU is if it is not properly mounted with heat sink and fan.

2007/03/18

.cc top level domain

I am amazed by the clever use of the top level domain .cc. Originally, it is a country code domain for Cocos Island. However, people think that .cc can be used to describe commercial company, chinese community, country club or computer community. Here, we have Oriental Daily News already changed the web site name from http://orinetaldaily.com.hk to http://orientaldaily.on.cc. Another example is www.hinet.cc and we see big network operators such as Hinet also treasure the .cc domain.

2007/03/15

Defrag trouble in FAT32

My son's PC is having a FAT32 hard disk with 80GB capacity. 70 GB has been used up and the drive has not been defragmented for years. Needless to say a slow access time is found. I tried to use the defrag program of Windows with a hope to reduce scatter fragment but Windows prompted me that at least 15 % of HD space should be available. Shit ! In a 80 GB HD, 12 GB will be sacrified due to poor design of FAT32. This leaves me no choice but to convert the whole HD from FAT32 to NTFS.

2007/03/13

ipod charger too expensive



How much is one ipod charger ? It is sold at HK$250.


Actaully, this is far too expensive. I can just use a generic AC USB charger at HK$20 to perform the same recharging function. Apple Inc. should consider lowering the price !

2007/03/11

Madonna's Confession Tour

Confession Tour DVD 是非常高水準的制作, 歌曲悅耳,舞蹈精彩。想不到 Madonna 年過四十,還可以一身性感打扮,贏盡台下掌聲。最值得讚賞是一眾舞蹈員,他們可以跳躍得很高、番跟斗、做高難度 hip hop,跟特技人的動作不惶多讓。如此精形的 DVD,再看兩三趟仍不會厭,低買。

2007/03/08

notebook with solid-state drive

Now that 1GB flash memory drops to HK$80, I learn that notebook PC manufacturers have started to produce solid-state drive based notebook PC. I don't need to much storage, just 32GB will be OK. What can I expect in performance boost. On the whole, I can think of faster boot up, read/write hundred times faster, higher durability, shock proof, less noise, less weight and less power consumption on the notebook.

2007/03/03

Hong Kong - a WiFi city

Hong Kong will shortly become a WiFi city following the Government's pledge to invest about HK$200 million for providing free WiFi access to citizens in all government premises including parks, public libraries and recreational centres. In fact, we are now able to have free Wifi access in the Hong Kong International Airport. PCCW and HKBN are installing WiFi Access Point in major areas in the city but the use is limited to their subscribers only.

As our city will soon be fully WiFi-enabled, I don't think I still have to consider 3G mobile phone service.

2007/03/02

My comments on BC31

I have played BC31 four times this week. It is time for me to give comments on this release.

I reckon some changes in BC31. BC31 emphasizes more on techniques, yet we still have the chance to practise high intensity movements. The Capoeira moves (jinga) in the warm up track are really good. Surprise, evasive side-kicks come back again and a new move of double round-house kicks is added. In the Muay Thai track, we have to do 128 round house knees and finally the last power track (track number 8) lasts for over 6 minutes. Track 7 and 8 are really high intensity.

The changes in BC31 are very logical and sensible. Once again, BC 31 release shows that our choreographers have performed a great job in developing the best world-class training programs.

2007/03/01

退稅

今年第一份喜悅要算得上是退稅。這一萬五千元有何作為呢 ? 我想這些錢應該足夠購買一台 PS3 加一台 64-bit 桌面電腦連 Windows Vista。如此一說,在2007 年內,遊戲機、手提電話、桌面電腦、手提電腦及其它電子器材應該有很可觀的銷路。消費萬歲,財爺萬歲。

2007/02/28

My trip to Egypt

I returned from Egypt after 10 days of visit. Any things unforgetable. Not so much. Pyramids, Sphinx, tombs and ancient temples were all great but not unforgettable. If I have to choose, I would say the sun set scenery in River Nile was very beautiful and my personal experience of seeing mirage in desert was fascinating. Take a look at the pictures below.

Sunset of River Nile



Mirage on Desert

2007/02/17

Bon Jovi's song appears in BC31

I heard that Bon Jovi's song "You give love a bad name" is picked in BC31. I have predicted this quite some time ago.

How many songs of Bon Jovi are in BC series ? I count to five, i.e. runaway, always, living on a prayer, blaze of glory and you give love a bad name.

2007/02/16

Year 2038 Problem

When I look at the calendar function of Openwebmail, the year field is up to year 2037 only. This reminds me about 32-bit Unix/Linux operating system that uses a 32-bit register to store the number of seconds lapsed since 1 Jan 1970. The latest year shall be 1970 + (2^31 / (24 x 3600 x 365) = 2038.

In other words, my server will not work after year 2038. Nothing can be done but there is no worry at all. I bet by Year 2020, all computer systems on earth will be based on 64-bit architecture.

2007/02/15

Maximum size of a blog message

Surprise ! I accidentally find out the maximum size of a blog message in blogger.com is 1MB. Google is too generous. This is really an over-provisioned parameter. I guess I probably need up to 5 KB only.

2007/02/14

Celebrating the 40th anniversay of Internet

This year marks the 40th anniversay of the Internet.

Are you kidding ? How come Internet has been around for 40 years ?

That is true. Internet was evolved from APARNET and APARNET was set up in 1967.

What can we expect at the 50th anniversay of Internet ? Well, I guess each household will have gigabit of bandwidth in use. All electronic devices, whether fixed or mobile, will be on IPv6 and hooked up to the Internet. There are many more to expect ....

2007/02/13

Think about HTML email clients again

From day one onwards, I support text-based email clients as opposed to HTML-based counterparts. In the light of spamming activities, Internet fraud and spreading of malicious software, it is good time for users to think about this question again. There are a lot of risks with HTML email clients. I just name the apparent one:

1. HTML-based clients can download malicious software in background once an email is opened.
2. Phishing and identity theft are all done on HTML contents.
3. Spammers can track if the recipient email address is valid because the URL links can embedded the recipient address and send out to the spammer's host automatically.

Apart from security concern, there is the supporting argument HTML emails increase the byte size and occupy more bandwidth due to cosmetic effect. However, these days, with large bandwidth available and huge hard disk space, will anyone care about this.

2007/02/12

DoCoMo's 4G Trial reached 5 Gbps

In future, what speed can a 4G base-station offer ?

According to the news sent to me by Telecom Asia, using a 100-MHz channel, the downlink speed was tested to be 5 Gbps. This high speed was aided by 12 sets of MIMO transmit and receive antennas and proprietary received signal processing technology.

For those working in the spectrum side, they will ask for spectral efficiency. This translates to 50 bps/Hz (5000 Mbps/100MHz).

Hey, wait a minute, how can we expect to have 12 receive antennas in end-user mobile devices. Where comes the 100 MHz spectrum, in what bands. Honestly speaking, users will be quite satsified if they could have 100 Mbps in full mobility at affordable price. There is still a long way to go.

2007/02/11

.com or .net

My friends asked me why I decided to change my domain name from ending with .com to .net. I said that .net got a higher status. I have all the services of my own needed to be a .net which include email server, web server, dns server, ftp server and secure shell server. It will be logical for me to have a .net domain name than a .com domain name.

2007/02/09

Root Server Attack

My colleague told me the news reproted in Metro news related to root server attack two days ago.

This time, DDoS attackers successfully struck down "L" and "G" root servers plus one .org TLD nameservers. One of the root server hit down is operated by US Department of Defense in Pentagon. The attack lasted for 12 hours. However, there was no noticeable interruption to the Internet service.

Given there are now over 90 root server mirrors all over the world backing up the original 13 root nameservers by anycast routing, there is no chance of bringing down the entire root domain.

2007/02/08

An email from Samson Tam about CE Election

Here below is an email from Samson Tam I received this morning.

According to the survey conducted by Mr Samson Tam, 40 % of voters support Mr Leong. Applying this percentage, Mr Leong could be able to secure 320 votes in the CE Election. Isn't it amazing ?

"Dear friends of the IT sector,

Since my email sent to all of you one week ago seeking your views on nominating the CE candidates, I have received 420 replies out of thousands of questionnaire emails. I thank all of you for enthusiastically expressing your views and responding my quest.

Of all the replies, 230 were of the view that I should nominate Mr. Tsang, whereas 171 considered that I should nominate Mr. Leong. Four of them suggested that I should not nominate both, while a dozen of them expressed other suggestions, or not at all. As such, in accordance with the survey result, I will nominate Mr. Tsang in the coming CE election.

Through this survey, I have learnt more about the industry, the different voices and demands of the IT practitioners, and have got many valuable views and suggestions put forth by many of my friends in the IT sector. Overall, it seems that many IT people are longing to see an election with competition. Also, they are willing to actively participate in it, so as to contribute to a better IT future.

Once again, I would like to thank all of you for your active participation in the survey and feedback.

Best regards,

Samson Tam"

2007/02/07

A story about firewall

This is a true story.

A large corporation in Hong Kong is using Checkpoint Firewall on Windows 2000 Server as a software firewall. My first thinking is that Windows 2000 Server is not a hardened server OS. How could one rely on a non-hardened server OS to build a mission critical application on top of it. The second thinking I have is that patches for Windows OS are released as frequent as several times a month. When patches are added, the server has to be stopped and re-started. Testing would be followed to check if the added patches will create new problem. The third bad thing is that Windows Server requires periodic reboot, unlike Unix or Linux which do not require re-boot after running for two to three years. This results in some loss of availability. Having said that, I could not imagine how this application can offer 24 x 7 x 365 non-stop service.

2007/02/05

Is vsftpd really secure

People call "vsftpd" very secure ftp daemon. There is one default setting which renders the daemon insecure. When a user login, he can leave his home directory to go up to other directories. There should be some locking mechanism to ban this. Googling around tells me that by adding the following line in /etc/vsftpd/vsftp.conf can overcome the problem:

chroot_local_user=YES

This way, ftp users are locked in a jail.

2007/02/04

Goodbye to WS FTP

I had used WS FTP for more than 10 years. A few years ago, Ipswitch announced that WS FTP was no more a free software. Since then, I had not any new release.

Frankly speaking, the WS FTP I had in hand was quite outdated. It did not have the drag and drop function to partially transfer files in folders between local and remote machines. When large number of files were transferred, it hang up occassionally.

I made up my mind to say goodbye to WS FTP. What would I like to use then ? I should go for Smartftp client. It is a bit strange. Normally, remote machine will be on the right side but Smartftp client makes a different direction. It is just a matter of time to get used to the new screen layout.

2007/02/03

Yoga and Information Security


I find one common feature between Yoga and Information Security.

Yes, it is "insight that brings strength and agility". Agree ?

2007/02/02

IIS under construction

If you are a system administrator and you have started the IIS server but the web pages are not ready, it is important to put an index.html something like "This site is currently under construction". If not, look at the screen below. It tells people that you are using Mircosoft IIS Web Server. This is a vulnerability to disclose the server and web OS to visitors.

I must blame Mircosoft for this silly fault. In the absence of a default page, the web server can just return a 404 error code of page not found. It is much safer than revealing the server and web OS.

2007/02/01

acrobat PDF reader eats up 32MB memory

Using task manager, I noticed that acrobat PDF reader consumed 32 MB of memory. This is a huge amount of memory resource. Besides eating up memory, I don't think acrobat PDF reader can give a good performance.

I have switched to use Foxit pdf reader. This software can load and open PDF document really fast and it only takes up 4 MB of memory, just 12.5 % of that of acrobat pdf reader. Of course, it is a freeware.

I regret that I only discover this great software so late.

2007/01/30

Combat Marathorn Class

Tonight I joined the Combat Marathon Class at Mong Kok which lasted for one hour and fourty five minutes. There were all together 18 tracks played, of which three were for Muay Thai. This class was of course a high intensity exercise. I believed I had burnt over 1300 kcalories.

About the class arrangement, only 120 members were allowed. Up to 15 members from each club could be allowed.

One thing I didn't like was there was no need to do the push-up conditioning after the 9 track. Doing the push-up made our body temperature dropped and our heart-rate also slowed down. It took a while to get back to the best shape. Just a waste of time !!!!

2007/01/29

How to dial to an IP Phone

I got a business card in which there is an IP Phone number printed as follows :

IP Phone : 202.122.98.88 (P2P)

I wonder how I can use Internet to dial and connect to this IP Phone. My colleagues suggested that I should use Netmeeting in which the p2p Internet phone is H.323-based. I still can not figure out how to proceed.

2007/01/28

Suggestions to Les Mills

This is my third suggestions to Les Mills on Body Combat tracks :

Artist : DJ Moore
Track : Smoke on the water
Reason : The rock music is good and the beat is strong for Muay Thai. Just re-use it for Muay Thai track in new releases. I can expect the same effect as the re-use of "We will rock you" in BC30-7.

Having seen the success of re-using past tracks in BC30 (track 2, 3 and 7 in BC 30 are re-used tracks), I am sure combat fans will be addicted to this track.

I very much hope Les Mills will take my suggestion.

2007/01/27

PCMCIA LAN card will become history

Today, I went into a computer shop to ask for a PCMCIA LAN card. The sales staff were puzzled wondering what kinds of notebook I had which did not have a built-in LAN card. I told them that some people who conduct network testing and monitoring need two or three LAN connections in their notebook PCs. The sales people went on to tell me that they only had one such card sold out in a year.

One thing for sure is that PCMCIA LAN cards will become obsolete in near future. I like to keep this kind of hardware devices and I will buy two more for future use.

2007/01/22

whois search

I needed to look for the allocation of the IP address 66.179.240.29 and found out the owner. This was an IP address under allocation of ARIN. Obviously, I would use the web site of www.arin.net and doing a web-based whois search. Quite strange, the information could not be found.

Intutively, I had the feeling that web-based whois search is not as reliable as whois client directing interacting with the whois database of ARIN. On a Unix shell, the command to be invoke is :

$whois 66.179.240.29 whois.arin.net
[Querying whois.arin.net]
[whois.arin.net]
Inflow Inc. NFLO-AR-3 (NET-66-179-0-0-1)
66.179.0.0 - 66.179.255.255
PBase.com, LLC INFLOW-996-94320-16484 (NET-66-179-240-0-1)
66.179.240.0 - 66.179.240.127

# ARIN WHOIS database, last updated 2007-01-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Yes, really. It worked which indicated web-based whois could not provide reliable information.

2007/01/20

Satellite killers

China has not made any official announcement about the purpose of testing ballistic missile destroying an obsolete weather satellite in orbit. I think this is a show off ! Yes, indeed, China has sent a clear message to the world, especially to the US that she has the technology required to hit down orbiting satellites in outer space.
As Chinese citizens, we have nothing to be proud of for such technological achievements. Do we really need such a weapon for defence ?

2007/01/19

New Blogger account

I have migrated my old blogger account to the new account. Not many changes are visible. I only spot two good features. First, there is a label which users can tag on the message. I think it can help to manage and display different messages according to category.

The second feature is very good, instant publishing. Whenever I publish a new post or change settings, my blog is updated. There is no need for me to republish after changes.

2007/01/18

file limit

I have about 23000 files in a single directory. If I try to use mv, rm or zip *.* for files in the directory, there is a prompt of argument too long. This sends a clear signal to me that there is a limit on the number of files mv or rm can work on. I am interested to know this limit. How can I find out ?

2007/01/15

root name service available in HKIX

When accessing APNIC web site, I noticed that HKIX has set up a mirror site for the f root name server (f.root-servers.net). This can dramatically boost the performance of root DNS service for Internt access in Hong Kong. The presence of the root mirror service can be detected by using a traceroute command as :

# traceroute f.root-servers.net
traceroute to f.root-servers.net (192.5.5.241), 30 hops max, 38 byte packets
1 kreisler.netfront.net (202.81.252.28) 1.156 ms 1.838 ms 2.693 ms
2 isc1-FE.hkix.net (202.40.161.202) 2.766 ms 2.235 ms 3.203 ms
3 f.root-servers.net (192.5.5.241) 2.879 ms 3.305 ms 3.336 ms

Yes, indeed, the next hop after HKIX is f.root-servers.net

2007/01/12

iPhone


These few days, people I know are all talking about iPhone. Can you resist the temptation - a smart phone with no keypad, 4GB storage and all iPod-enable features. As a die-hard fan of iPod, I think I will get one. It is not good that the phone will only be released to the Asia market by 2008.

The stock price of Apple Computer Inc has risen by 2.5 % after iPhone is unveilled.

2007/01/10

VirtualHost in Apache

Just when I thought I was competent about various settings of virtual host in Apache, I encountered this error when adding a new web site :

"Starting httpd: [Wed Jan 10 19:43:20 2007] [warn] VirtualHost http://www.bya.org.hk/ overlaps with VirtualHost http://www.amrita.org.hk/, the first has precedence, perhaps you need a NameVirtualHost directive"

The result was that access to http://www.amrita.org.hk pointed to www.bya.org.hk.

I had to add the NameVirtualHost 202.81.252.116:80 in "httpd.conf" to make things work again.

2007/01/02

ORDB closing down

ORDB announced that their open relay database running as DNSRBL will be closing down since 1 Jan 2007. This is a sad news and I have been relying on ORDB.org to kick out spam email by relay. One important development as seen from the closing down is that spammers have changed their tactics and open relay RBLs are not the most effective way to counter spam, Here below is the announcement before the closing down of their web site :

"We regret to inform you that ORDB.org, at the ripe age of five and a half, is shutting down. It's been a case of a long goodbye as very little work has gone into maintaining ORDB for a while. Our volunteer staff has been pre-occupied with other aspects of their lives. In addition, the general consensus within the team is that open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community.

We encourage system owners to remove ORDB checks from their mailers immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin)."