2008/12/31

Last day in year 2008

Today is the last day in year 2008. What do I plan to do ?

I just want to send SMS to best friends saying that 2008 has been a very difficult year. I hope they can continue to stay strong and wish them a better 2009. More importantly, we should work hard and enjoy a better life. Do not speculate any more in the stock market.

Good luck, friends.

2008/12/30

Microsoft did not provide md5sum for trial software

I downloaded trial version of Publisher 2007 in Chinese language. The file size was 403 MB. Too odd that Mircrosoft did not provide the md5sum of the provided file. The downloading took considerable time and if there was any error due to transmissions or other unexpected corruption, without the md5sum value, how could I ensure the integrity of the file when downloading was completed.

Microsoft should provide the md5sum of all trial software packages. This is a MUST basic rule for users to check the file integrity.

2008/12/29

ICANN's charge for new Top Level Domains

ICANN proposed to create hundreds of new top level domains such as .microsoft or .ibm. For these TLDs to work, the one-off registration fee is US$185,000 while the annual recurrent cost is US $75,000 for a domain to stay in the DNS root nameservers.

Currently, ibm.com or microsoft.com is charged just around US$20 per year. The maintenance cost of US$75,000 is 3750 times higher. I wonder how could the cost be justified !

2008/12/24

Javascript to protect email addresses against harvestor

This is a small javascript to separate a valid address into several strings and break "mailto" into "ma" and "ilto" to confuse email address harvestors.



It is useful for all webmasters.

2008/12/23

Web Server Audit - please don't laugh after reading

This is part of the report by an external auditor after conducting security audit on a web server :

"In the vulnerability scan result, the Audit Team observed that some unused files exist in the web server www.abc.com. The files may disclose system information to the public. Although there are no sensitive information in the files, it is recommended to control access to files and information. The unnecessary files are :

1. www.abc.com/robots.txt
2. www.abc.com/favicon.ico "

Oh God ! If you want to laugh, I will not stop you.

2008/12/21

Phishing activity in Thailand

I read a presentation file prepared by ThaiCERT on the general phishing activity in Thailand. According to ThaiCert, phishing has little impact in Thailand because :

a. Thai people ignore English e-mail.
b. Thai people don's trus security in e-transaction.
c. There are a lot of off-line banks,ATMs and branches which are convenient.

It seems to me that fraudsters should stop sending phishing emails to addresses with .th domains.

2008/12/17

AS Trace

My colleagues asked if I could list out all the IP addresses allocated to a local ISP. I tried to use the "Looking Glass" service of HKIX but seemed I could not get the list though I knew the AS number.

I resorted to AS trace facility of fixedorbit.com. The results were satisfactory. I have to memorize the name of this web site since such service is rare in the Internet.

2008/12/14

一支流感預防針所費多少

家住廣播道,自然會想到往侵會醫院注射流感預防針。聽當值護士說流感預防針費用是150元,但由於是醫生執行注射,醫生費約 300 – 400元,這真是超級昂貴呵。之後我去了一間診所,亦是由醫生注射,所費只是170元正,這事足以證明私家醫院的普通門診費是間天殺價。

2008/12/03

How much is a single character domain name if it is globally unique ?

SGNIC is now inviting applications for single character domain name (SCDN) like a.sg. a.com.sg etc. The bottom price is S$20,000. If more than one application for a SCDN in the ccTLD domain categories (such as .com.sg, .net.sg), applicants will be asked to bid until a final winner emerges.

This triggers me to think about the market value of SCDN in the generic TLDs like a.com, b.net etc. If a country specific SCDN can be sold at S$20,000, the more attractive and globally unique SCDN in TLDs should be priced at 10 or even 100 times higher.

Has ICANN set a policy on this ? What does HKIRC plan to do with SCDN in the .hk levels ? I need to find the answers !!

2008/11/29

68元火鍋任食,你還會信嗎?

油麻地一間知名酒樓,宣傳說推出68元每位火鍋任食。當食客進塲後,才知道要附加以下額外收費 (每位計):
湯底 - 20 元
醬油 - 20 元
茶錢 - 10 元

以上加起來共 118 元,還要再加一服務費,即總共實付 130元。可真是騙人的宣傳呵!

2008/11/28

車牌號碼,無奇不有

今早在九龍塘地鐵站附近,見一輛私家車掛着 “MOON 4” 的車牌。嘩, “悶死”車牌都有人要,心想,或許有一天會見到 “CHONG 4” 這車牌號碼,豈不是說車主是不介意 “撞死” 的。

2008/11/26

2008/11/18

淫審諮詢粗疏

東方日報
私隱署責淫審諮詢粗疏
16/11/2008
【 本 報 訊 】 現 行 的 淫 褻 及 不 雅 物 品 審 裁 制 度 千 瘡 百 孔 , 政 府 就 檢 討 淫 審 制 度 作 出 的 諮 詢 建 議 , 亦 被 指 粗 疏 和 有 漏 洞 。 個 人 資 料 私 隱 專 員 公 署 指 出 , 諮 詢 文 件 建 議 利 用 信 用 卡 號 碼 , 來 核 實 成 人 網 站 用 戶 是 否 年 滿 十 八 歲 , 不 但 實 際 上 未 必 可 行 , 更 可 能 會 不 必 要 地 洩 露 用 戶 的 個 人 資 料 。

信 用 卡 核 身 份 不 可 行
建 議 早 前 已 在 網 上 引 起 廣 泛 爭 議 , 被 網 民 炮 轟 「 冇 腦 」 和 「 靠 害 」 , 令 盜 用 信 用 卡 資 料 問 題 加 劇 。 私 隱 署 提 交 委 員 會 的 文 件 指 出 , 信 用 卡 號 碼 是 跟 戶 口 而 非 跟 人 而 設 , 戶 口 持 有 人 未 必 是 一 個 個 人 , 單 憑 號 碼 亦 不 能 核 實 持 有 人 是 否 成 年 ; 若 容 許 互 聯 網 供 應 商 向 信 用 卡 公 司 查 核 持 有 人 的 年 齡 或 更 多 資 料 , 則 持 有 人 的 真 正 身 份 亦 可 能 外 洩 。

文 件 又 指 , 由 於 信 用 卡 號 碼 並 非 有 效 核 實 網 站 用 戶 身 份 或 年 齡 的 方 法 , 有 關 建 議 會 對 個 人 資 料 私 隱 產 生 不 必 要 的 威 脅 。

2008/10/15

2GB 手指 終身保養

我買了一條價值 HK$50 元的 2GB 手指,產品享有終身免費保養。問題是如果真的損壞了,我一定不會花 HK$30 來回車費拿去維修,單是車費巳是該貨品的 60%,倒不如買另外一件代替。這表示這些低價消費電子產品,是無須要提供售後保養,而代理商聲稱終身保養,只是騙人的玩意。

2008/09/13

Multiple Antivirus software in a single PC

There are a few number of free antivrius (AV) software like Bitdefender, AVG, avast! etc. As no single AV software can detect 100 % new viruses, some might think that having two AV software in a single PC can complement each other to offer higher protection. This is not the case. AV software packages are not only incompatible with each other but also confuse each other. If they were made staying memory resident together or performing virus scan, the PC will slow down and might even hang.

2008/09/08

選舉過後

長毛說得好,民建聯你們不要太開心,新界東泛民佔五席,而你們只得兩席。

港島區選民,你們真的了不起,運用了精明投票方法,谷票給陳淑莊團隊,踢走福建婆娘,保住泛民大姐大。

2008/09/07

票站調查

今天我投了票給泛民。在票站外遇上港大調查員要求做投票訪問,心想票站調查已淪為某些人士的配票工具,我乾脆地回答投了給民建聯,

2008/09/06

功能界別候選人

功能界別候選人,請你們記 “業界利益絕對不能凌駕公眾利 益”, 如果你認為這樣做有難度,請你們立即退選。

我絕不希悍功能界別投票資格,功能界別引致太多利益衝突,一定要盡快廢除。

2008/09/05

練乙錚先生的「七不選」

練乙錚先生前天在信報與讀者分享他的「七不選」 :
(一)過分偏重商界利益、漠視勞苦大眾者不選;
(二)與一些反對普選、咀邊常掛一句「民主不等於普選」的大商賈關係千絲萬縷者不選;
(三)對立法會工作 心不在焉,或與政府「合作」過度密切、不以監督政府為己任者不選(這些人或是當副局長的好材料);
(四)支持不民主體制及殖民時代遺留下來的惡法如《廣播條例》中的若干過時條文者不選;
(五)不接受○三年教訓,贊成「翻叮」二十三條藍紙草案內容及立法程序而唯恐天下不亂者不選;
(六)在普選議題上贊成設置 各種有利既得利益之嚴苛路障者不選;
(七)功能組別選舉中,過分強調或專注界別私利、輕忽社會公益者不選(選立法會和選商會主席不同)。

在這選舉關鍵時侯,很多具相同理念的網友都盡量把「七不選」廣泛傳播於討論區、Facebook 及網誌 (blog)。既然我擁有自己的網誌,我當然要出一分力轉貼「七不選」,以助流傳。

2008/08/30

The difference

This picture tells the difference between Windows and Ubuntu OS.



On the CD surface, the following are marked :

Windows :Please do not lend or make illegal copy of this software.

Ubuntu : Legally free to copy, modify and redistribute.

2008/08/29

MTR Internet kiosks block facebook

I tried to access facebook in an MTR Internet kiosk. The connection was blocked and the alert message was that access to dating web sites was prohibited due to security policy. Facebook is a social networking platform with over 1 million Hong Kong people registered. People use facebook for a variety of purposes like exchange of messages, chatting with online friends, sharing of photos and videos, group discussions of a common theme, inviting friends to events and giving electronic gifts etc. I can not imagine why facebook should be blocked.

2008/08/26

New Zealand CERT

When talking to a friend from New Zealand, I was told that New Zealand Government will only establish NZ CERT in 2009. I checked this and the finding was correct.

New Zealand is a highly developed country. There should not be resource problems such as funding and skilled workforce to support the CERT operation. The lack of a national CERT could undermine people confidence in e-commerce, online transaction and other Internet-based activities. Suffice to say this is detrimental to the long term development of a country.

2008/08/24

「選情告急」- 欺騙選民

9月7日是投票日,我會全家總動員去投票。但還請候選人不要再用「選情告急」去欺騙選民。

2008/08/23

Dan Kaminsky

Since July, the name “Dan Kaminsky” appears in numerous web sites related to Internet and IT security because of his great work to dig out an alarming fundamental design flaw in DNS leading to cache poisoning. The presentation (107 slides) by Dan Kaminsky in the Black Hat USA 2008 Conference can be obtained in the link http://www.doxpara.com/DMK_BO2K8.ppt. The title is called “Black Ops 2008 -- Its The End Of The Cache As We Know Or: “64K Should Be Good Enough For Anyone”".

I enjoyed reading his great work though I could only understand less than half of the contents.

2008/08/21

Fake lowest and highest MX record to reduce zombie spam

I have been using the method of fake lowest MX record to reduce zombie-originated spam. An example is illustrated as follows :

1H IN MX 10 fake.mymail.com
1H IN MX 20 realmx.mymail.com

The fake record of MX=10 can either be undefined or can point to a dead IP address.

Legitimate sending email servers will get the error and retry the MX=20 and deliver the email successfully with some delay. Zombie spam will not try MX=20 and just move on to the next victim.

The above has a shortcoming that zombie might try deliver to the IP address read from the highest MX record (usually backup server) on the assumption that the backup mail server has less anti-spam features. A more careful setting is :

1H IN MX 10 fake.mymail.com
1H IN MX 20 realmx.mymail.com
1H IN MX 30 fake.mymail.com

Some have reported that the fake lowest MX and highest MX records working together can reduce 90 % of zombie spam.

More information on this method is in http://wiki.apache.org/spamassassin/OtherTricks

2008/08/20

A remote control for men only

A friend sent me this remote control in my facebook funwall. It is for men only. Of course, children should not touch on it.

2008/08/16

「活塞男」事件

「活塞男」真是哄動全城。大部份市民都認為政府應向「活塞男」追討被損公物的維修費用,我也絕對讚同。我們是絕對不能容忍公共設施被有特殊嗜好人士濫用而受到損壞。政府還需提醒另一個重要信息:當我們使用公園內的設施前,記緊要消毒。

2008/08/15

DNS Port Randomness Test

One of my DNS servers has been upgraded from Bind 9.4.2 to Bind 9.5.0-P1 in order to circumvent the cache posioning problem due to the lack of randomness in port numbers. The test string and the server for testing the randomness can be found at https://www.dns-oarc.net/oarc/services/porttest.

After the upgrade, the port randomness problem is resolved.

2008/08/13

Curl

Just when I thought wget is powerful and user-friendly, it has a limitation of not able to download files larger than 2GB. Curl is a better choice if I need to download DVD iso image of Linux packages which usually have a file size of around 3.3 GB. The command string looks a bit strange at first, but it is really not difficult to remember, just think of the -o as output to a file instead of output to stdout :

#curl -o linux-dvd.iso http://www.xyz.org/linux-dvd.iso

In fact, I have been troubled by this limitation of wget for many years.

2008/08/08

2008 Olympics Opening

Today is the 8 th of August, the day for 2008 Olympics Opening in Beijing China. Google has put up a nice logo to celebrate the 2008 Olympics Opening.



Well-done, Google.

2008/08/06

proftpd to replace vsftpd

I decided to replace vsftpd by proftpd. The reason is that proftpd can bypass reverse lookup of IP addresses to domain names with the directive of "UserReverseDNS off" in the config file. There are ISPs that have not properly given reverse hostnames to their IP addresses assigned to customers. In case of lookup failure, vsftpd will result in time out in the login process. I have tried to search if it is possible to disable reverse lookup in vsftpd but in vain. Obviously, proftpd is my choice in order to avoid the trouble of reverse lookup failure.

2008/07/08

八萬五

以下這條問題曾在小學常識問答遊戲中出現:

問:形容一個人有逃避問題的性格,會用甚麼政策?

答案:八萬五

2008/06/19

Project Titan by Verisign

A huge project is now taking place globally - the Project Titan by Verisign.
http://www.verisign.com/information-services/ATLAS/Project_Titan/index.html
Project Titan is to expand the critical infrastructure both in scale and location globally and investment in engineering, monitoring and new proprietary security systems and processes to manage Internet traffic.

By 2010 VeriSign will increase its daily DNS query capacity tenfold from 400 billion queries a day currently to 4 trillion queries a day. It will also scale its proprietary systems to increase its bandwidth capacity ten times from more than 20 gigabits per second (Gbps) to greater than 200 Gbps. By distributing its infrastructure, the .com and .net systems will have greater redundancy and reduced latency, which will improve the experience for users by reducing bottlenecks and increasing speed. The state-of-the-art engineering enhancements to the system will create increased capability to track and correlate security and network related events on a global basis.

2008/06/14

DNS zone transfer risk

This summary is not available. Please click here to view the post.

2008/06/10

Facebook Blocking

Today, I blocked a person who tried to tag me as facebook friend. That guy uses facebook as a marketing tool to promote his company products. He arbitrarily picked usernames and attempt to tag. What a shame on him !

The guy also made a lot of mistakes in facebook. First, he does not have a profile picture. How could people recognize him. Second, he does not have any photo album. If people are interested in him, they would like to see his family photos or his photos at work. They want to know what life style he has.

I only add facebook friends in 5 categories :

1. members of the IT sector
2. members of the information security field.
3. people in the telecom field
4. gym friends
5. past colleagues who have left me.

2008/06/08

昂坪 360 光纖電纜損毀

昨天的大雨令昂坪 360 光纖電纜損毀,影響纜車操作的訊號傳送,導致服務要暫停數天。

我不禁想,為甚麽興建昂坪 360 纜車系統時,沒有設置後備光纖電纜,以應付緊急事故。後備光纖電纜是須行經不同的路線,避免工作和備用光纖電纜同時受到損壞。看來昂坪 360 的管理層急需亡羊補驢了。

2008/06/06

Celebrating the 25th anniversary of DNS

DNS, the distributed architecture of resolving an Internet domain name to an IP address , was invented 25 years ago. I wouuld say DNS is the most important application ever built in the Internet. Without that, web browsing, sending of email, online chat, MSN etc will all fail.

Today, DNS serves more than just look up domain names into IP addresses. There are other sophisticated functions served by DNS :

1. Routing mail by means of MX records
2. Backing up email delivery by way of preference level in MX records
3. Suppressing spam by way of Sender Policy Framework and Domain Keys
4. Suppressing spam by way of reverse IP lookup
5. Load balancing and server distributions by way of DNS round robin
6. Supporting VOIP by way of ENUM

Anymore ? There should be some more …

2008/05/26

facebook is an election propaganda

Facebook is a great propaganda for election, especially for functional constituencies like the IT Sector. Candidates can find the eligible voters by searching key words such as MIET, HKCS, BCS, CISSP, CISA etc. More importantly, this handy tool is free of charge. In the coming LegCo Election in Sept 2008, the communications and networking powers of facebook will be unleashed.

2008/05/25

Hardware encrypted USB memory sticks

The recent privacy incidents happened in HK arising from the use of portable storage devices tells me that for maximum security sake, I need to use hardware encrypted USB memory sticks. I know that these devices are really expensive, around US$100 for a 1 GB USB flash memory. To my dismay, I visited the computer malls in Wan Chai and Sham Shui Po and could not find one to buy.

Hong Kong is at the forefront of IT. How come such useful devices are not off-the-shelf in general computer shops.

2008/05/21

Raising Funds for Sichuan victims

CFC is the largest gym club in Hong Kong. So far, it has not organized any super theme classes to raise funds for helping Sichuan victims. My patience on this has gone and I decided to sent my message to its management. I asked the management to check past records of what they did in helping tsunami victims.

2008/05/18

單車教練

我認識的 CFC 單車教練之中, Johnny Chan 最為特出。 記憶所及,從他第一天執教開始,他已是穿着專用單車裝束,在學員面前,沒有穿過其它雜款運動服裝。 當 Schwin 車加裝單車鞋托之後,他是首批 (極可能是首位)穿上單車鞋去執教的。他那份追求專業、完美的精神,對我來說是非常值得學習。

2008/05/15

High Definition TV

This might be a good news or a bad news.

The communal antenna distribution system in our building has been upgraded to support High Definition TV (HDTV). I have the chance to watch HDTV by spending HK$1x,xxx for a high-end LCD panel and a HDTV decoder. If I really do that, I will be creating a big piece of junk by throwing away my 29-inch traditional TV set. What else !People will laugh at you when they know that your building can support HDTV while you are still watching with a traditional TV set.

For the sake of the environment, forget about what other people say.

2008/05/13

點歌

上完BodyCombat堂, 教練問學員有沒有興趣點歌,全班學員默不作聲。 聰明的教練巳經估到了,原來他們一齊要求點播 “Sound of Silence”。

2008/05/09

SPF -all

For those system administrators that make settings of their Sender Policy Framework (SPF) with –all in their DNS zone records, I like to pay my tribute to them. They are the real anti-spam heros that have the competent knowledge to fight against spam.

What does SPF –all mean ?

"v=spf1 ip4:1.2.3.4 -all"

In the first line, it tells only the IP address 1.2.3.4 can claim to use the designated domain name in "mail from" field. All other IP addresses can never claim.

v=spf1 a:mail.example.com a:xyz.example.com -all"

Similarly, in the second line above, two hosts can claim to use the designated domain name in the "mail from" field while all others will be rejected.

Sadly, only about 1 % of domain names in use are having SPF -all settings in place.

2008/04/24

SSID of Government WiFi Service

I notice that the SSID of Government WiFi service is set as "freegovwifi". At a first glance, I can not distinguish from this SSID this is a government service unless I interpret the SSID as three separate part as "free", "gov", and "wifi". Could some wise guys develop a better name ? Yeah, using hyphen in between words could help and "free-gov-wifi" is very distinguishable. However, I like to add that stating "WiFi" in SSID is meaningless and a bit redundant. My suggestion is simply use "hk-gov" and every body can tell it is a service offered by the HK Government.

2008/04/20

Write protect switch on USB thumb drive

My 8GB USB memory stick suddenly went wrong. No file could be written on it. It was because of a write protect switch toggled to the on position. I have used 5 USB thumb drives before, from 128 MB to 2GB and I never found a write protect switch on them. This is quite confusing. The provision of a write protect switch should be a treated as a standard feature for the benefit of consumers. Also, another aspect frustrating is the LED light. Some USB thumb drives are equipped with LED indicator to show the status of data access while some are not. I need to look at the LED to be sure that the USB thumb drive is working, reading and writing.

2008/04/13

GSM network to cover fixed line service

SmarTone-Vodafone makes use of its GSM network to provide wireless fixed line service. The phone to be used at home is a modified GSM phone with a base and a handset. The monthly charge is not competitive indeed, at HK$118 per month. One of the benefits is the basic plan has covered unlimited IP calls to overseas. The public acceptance of the new service remains not clear but SmarTone has made inovative use of its network to attract fixed line customers.

2008/04/12

BC 35 - United Vibe

I am much impressed by track 2 of Body Combat Release 35 - United Vibe played by Scooter. This track lasts for 7 minuets and 12 seconds, the longest track ever seem in BC series except those that are warm up tracks. The choreography matches the music in a perfect order. Every movement looks so nice, energetic and full of agility. I must say I am addicted to this track.

2008/04/04

Farewell to Yvonne

Today California Fitness Club in Causeway Bay held a farewall party for Yvonne. Can anybody imagine how many guest instructors were there ? I counted to 10, Eric Yeung, Benjamin, Patrick S, Kelvin, Sunny, Jeremy, Martial, Louis, Rex and George. They came voluntarily.

I followed Yvonne for 4 years on BodyCombat, BodyBalance and Pilates. I had a lot of good time in her classes. I am not sure if I can find another instructor like her. To me, she is more than an instructor. I shall always remember her.

What are the changes to evening classes after Yvonne left ? At least two, BodyCombat and BodyBalance Class at PakPoLee on Wednesday will be cancelled. I am not aware of any change of schedules in other clubs.

2008/03/10

Running Sendmail with Sender Policy Framework

My experience in getting SPF milter to run on Sendmail is recapped below:

1. Check sendmail package already has MILTER plugin compiled:
# sendmail -d0.1 -bt < /dev/null grep MILTER
2. Get libspf2 rpm and install by rpm -ivh;
3. Get spfmilter rpm and install by rpm -ivh;
4. Add the following in sendmail.mc
INPUT_MAIL_FILTER(`spfmilter', `S=unix:/var/run/spfmilter.sock, T=S:4m;R:4m')
5. Rebuild sendmail.cf;
6. Run #spfmilter unix:/var/run/spfmilter.sock
7. re-start sendmail

2008/03/07

A chart of IPv4 allocation

This is an interesting chart.



Do you believe we still have 25 % unicast resources remaining ?

2008/02/25

how to show DNS recursive resolution

If I am asked to explain the concept of DNS recursive resolution, I would prepare a sketch like this one below :



There is an altenative. In a Linux/Unix shell, just issue the command "dig +trace FQDN" can do the same. Dig makes iterative queries to resolve the name being looked up and will follow referrals from the root servers,showing the answer from each server that was used to resolve the lookup.

2008/02/19

Using different port number for SSH, SFTP and SCP clients

How could I access hosts running SSH daemon with a different port number such as 747 ? SSH can support SFTP and SCP on the same daemon so the commad syntax for SSH, SFTP and SCP should also be remembered. The answers are here below :

#ssh -p 747 user@abc.com
#sftp -oPort=747 user@abc.com
#scp -P 747 user@abc.com:/directory/file .

The small and capital letter of p means different things, in SCP, -p means preserving modification times, access times of file whereas -P specifies a port number. For SSH, no -P exist, just -p will be ok for port number.

2008/01/27

Performance Pledge on network availabilty

The 5 biggest ISPs in HK (PCCW-IMS, HGC, HKBN, NWT and i-cable) have all published their performance pledge on network availability. PCCW-IMS, HGC, HKBN and NWT all pledge to achieve network availabilty of 99.99 %. As for i-cable, it only guarantees 99 % of network availability delivered to subscribers. Actually, 99 % availability means loss of services of 87 hours in a year. I could not understand what makes HFC and cable modem technologies not as reliable as xDSL and Metro-Ethernet.