The difference

This picture tells the difference between Windows and Ubuntu OS.

On the CD surface, the following are marked :

Windows :Please do not lend or make illegal copy of this software.

Ubuntu : Legally free to copy, modify and redistribute.


MTR Internet kiosks block facebook

I tried to access facebook in an MTR Internet kiosk. The connection was blocked and the alert message was that access to dating web sites was prohibited due to security policy. Facebook is a social networking platform with over 1 million Hong Kong people registered. People use facebook for a variety of purposes like exchange of messages, chatting with online friends, sharing of photos and videos, group discussions of a common theme, inviting friends to events and giving electronic gifts etc. I can not imagine why facebook should be blocked.


New Zealand CERT

When talking to a friend from New Zealand, I was told that New Zealand Government will only establish NZ CERT in 2009. I checked this and the finding was correct.

New Zealand is a highly developed country. There should not be resource problems such as funding and skilled workforce to support the CERT operation. The lack of a national CERT could undermine people confidence in e-commerce, online transaction and other Internet-based activities. Suffice to say this is detrimental to the long term development of a country.


「選情告急」- 欺騙選民



Dan Kaminsky

Since July, the name “Dan Kaminsky” appears in numerous web sites related to Internet and IT security because of his great work to dig out an alarming fundamental design flaw in DNS leading to cache poisoning. The presentation (107 slides) by Dan Kaminsky in the Black Hat USA 2008 Conference can be obtained in the link http://www.doxpara.com/DMK_BO2K8.ppt. The title is called “Black Ops 2008 -- Its The End Of The Cache As We Know Or: “64K Should Be Good Enough For Anyone”".

I enjoyed reading his great work though I could only understand less than half of the contents.


Fake lowest and highest MX record to reduce zombie spam

I have been using the method of fake lowest MX record to reduce zombie-originated spam. An example is illustrated as follows :

1H IN MX 10 fake.mymail.com
1H IN MX 20 realmx.mymail.com

The fake record of MX=10 can either be undefined or can point to a dead IP address.

Legitimate sending email servers will get the error and retry the MX=20 and deliver the email successfully with some delay. Zombie spam will not try MX=20 and just move on to the next victim.

The above has a shortcoming that zombie might try deliver to the IP address read from the highest MX record (usually backup server) on the assumption that the backup mail server has less anti-spam features. A more careful setting is :

1H IN MX 10 fake.mymail.com
1H IN MX 20 realmx.mymail.com
1H IN MX 30 fake.mymail.com

Some have reported that the fake lowest MX and highest MX records working together can reduce 90 % of zombie spam.

More information on this method is in http://wiki.apache.org/spamassassin/OtherTricks


A remote control for men only

A friend sent me this remote control in my facebook funwall. It is for men only. Of course, children should not touch on it.





DNS Port Randomness Test

One of my DNS servers has been upgraded from Bind 9.4.2 to Bind 9.5.0-P1 in order to circumvent the cache posioning problem due to the lack of randomness in port numbers. The test string and the server for testing the randomness can be found at https://www.dns-oarc.net/oarc/services/porttest.

After the upgrade, the port randomness problem is resolved.



Just when I thought wget is powerful and user-friendly, it has a limitation of not able to download files larger than 2GB. Curl is a better choice if I need to download DVD iso image of Linux packages which usually have a file size of around 3.3 GB. The command string looks a bit strange at first, but it is really not difficult to remember, just think of the -o as output to a file instead of output to stdout :

#curl -o linux-dvd.iso http://www.xyz.org/linux-dvd.iso

In fact, I have been troubled by this limitation of wget for many years.


2008 Olympics Opening

Today is the 8 th of August, the day for 2008 Olympics Opening in Beijing China. Google has put up a nice logo to celebrate the 2008 Olympics Opening.

Well-done, Google.


proftpd to replace vsftpd

I decided to replace vsftpd by proftpd. The reason is that proftpd can bypass reverse lookup of IP addresses to domain names with the directive of "UserReverseDNS off" in the config file. There are ISPs that have not properly given reverse hostnames to their IP addresses assigned to customers. In case of lookup failure, vsftpd will result in time out in the login process. I have tried to search if it is possible to disable reverse lookup in vsftpd but in vain. Obviously, proftpd is my choice in order to avoid the trouble of reverse lookup failure.