2009/12/28

wildcard domains

I have tried configuring wildcard domains for Bind and Apache to work together. In Bind, the syntax of a zone file (example.com) is simple :

*.example.com. 1H IN A 1.2.3.4

As for Apache, the directive for supporting named-based virtual hosting must be enabled:

NameVirtualHost 1.2.3.4

Next comes the ServerAlias to align with the virtualhost:

# comment: this one accepts any subdomain
#
< VirtualHost 1.2.3.4:80>
DocumentRoot /var/www/html/subdomain
ServerName www.example.com
ServerAlias *.example.com
< /virtualhost>

The above configuration is easily understood. Any URL ending with example.com will access www.example.com. The sequence of wildcard entry is worthy of precaution. The wildcard entry must be the last and must come after valid subdomain name because Apache looks at lines and files and uses the first one that has matched.

I can not think of any practical applications of wildcard domains. Some might argue that if the subdomain part is mistyped, users can still reach the correct website.

One question I have in mind is can IIS support wildcard domains?

2009/12/26

IPv6 and IPv4 gateway services

SixXS is providing IPv6 and IPv4 gateway services through the use of domain names. Suppose an IPv6 only host wants to access IPv4-based www.cnn.com, the URL is www.cnn.com.sixxs.org. Converserly, for an IPv4 host to access IPv6 servers such as ipv6.google.com, the URL will be ipv6.google.com.ipv4.sixxs.org.

Great work. The is another way for people to access IPv6 web sites without using tunneling.

2009/12/23

US Cybersecurity Chief

Mr Howard Schmidt, our ISC2 Director has been appointed by President Obama as the US Cybersecurity Chief. This is a great honor to all ISC2 members.

Perhaps PISA should announce this good news at the Annual Dinner next month.

2009/12/22

一台獨立的主機

國內的朋友,在網上討論 IT技術時要打醒十二分精神。例如說 "一台獨立的主機,可架設多個虛擬網站"。「台獨」二字引致GFW 追踪發訊者所在,而公安亦會請你協助調查。不知這是可笑還是荒謬 !

2009/12/16

.google top level domain

Google has conquered the cyber world, why not having its own top level domain. I bet the TLD ".google" will appear very soon. What are the results then ? Google search at search.google, Gmail at mail.google, Google Map at map.google, blogger at blog.google etc…

Wooo.. Google will become bigger, stronger and more powerful than any companies in the world.

2009/12/09

6to4 Reverse DNS Delegation

A visitor to my blog informed me that the Number Resource Organization (NRO) is the authority for 6to4 reverse DNS delegation. The delegation is done at https://6to4.nro.net/. I am really surprised as I have always wanted to set reverse lookup of my 6to4 address in order to set up SMTP service.

Since I am using the IP address 202.81.252.116, upon converting to 6to4 address, I own the IPv6 address prefix of 2002:ca51:fc74::/48. The requirements to meet 6to4 RDNS delegation are very strict:

1. The requester must use a 6to4 IPv6 address to visit the web site.

2. Only RDNS delegation of a /48 prefix related to the visiting IPv6 address is allowed.

3. The website knows which /48 prefix is to be delegated by checking on the visiting 6to4 address. There is no need for the requester to make any input.

4. The nameservers must have the proper configuration in place to handle the reverse lookup of the /48 prefix before requesting the delegation. Once the submit button is clicked, reverse lookup will be checked and if there is anything wrong, the delegation will not be successful.

I fully support these rules as they are designed to verify who own a 6to4 address range.

Hopefully, I passed all the check. I am now able to do “dig –x 2002:ca51:fc74::1” which points to “ipv6.warrenkwok.com”.

I like to give a big thank to the Number Resource Organisation.

2009/12/08

IPv6 Reverse DNS Configuration

On IPv6, I do have some good news this week.

By now I am able to do configurations for IPv6 reverse DNS delegation on /48, /56 and /64 subnets. For a couple of months, the syntax of the Bind config files and the zone files for IPv6 reverse lookup scared me to death. However, after playing around and looking at the settings of existing working IPv6 systems through "dig -x", I was able to figure out how these things worked together.

It has been a great learning exercise. I will create sample templates for /48, /56 and /64 subntes for my future reference.

2009/12/07

IPv6 Certification Scorecard

IPv6 Certification Badge for warrenkwok

After 100 days of daily ping6, traceroute6, dig and whois, I have made a top score of 1400 for my IPv6 Sage Certification. That says, I do not need to log on Hurricane Electric's certification web site any more. However, in order to keep abreast of IPv6 development, I still read the discussions in HE's Forum.

2009/12/03

4-byte Autonomous System Numbers

Some ISP friends told me that they found AS numbers larger than 65536 in advertised BGP routes in the range of 13XXXX. This is a good sign since some service providers are using 4-byte AS numbers for their routing. Without resorting to 4-byte AS numbers, new comers can not have their routers hooked up to the Internet.

In fact, APNIC is administering 2.xxxxxx prefix for 4-byte AS numbers. The first 4 byte AS assigned to Hong Kong is 2.155 or written as AS131227 (2 x 65536 + 155). It is good to see that whois search can also support AS number larger than 65536.

[root@localhostl]# whois –h whois.apnic.net AS131227
aut-num: AS131227
as-name: ASIADC-HK-AP
descr: Asia Data Center Limited
country: HK
admin-c: ADCL1-AP
tech-c: ADCL1-AP
mnt-by: MAINT-ASIADC-HK
changed: hm-changed@apnic.net 20090914
source: APNIC


2009/11/30

Internode brings surprise to the IPv6 world

Australian ISP Internode brings surprise to the IPv6 world. It rolls out a native IPv6 trial service over ADSL. Users will be offered a /60 prefix and it is up to the broadband routers of users to allocate IPv6 addresses to their hosts. This is the first time that IPv6 trial service involves prefix delegation to end users. However, as reported by some Australian users, the only compatible CPE is Cisco 877 ADSL router running IOS 12.4 which can handle prefix delegation and IPv6 address allocation to hosts.

The trial service of Internode is more advanced than the current residential IPv6 service of NTT. NTT only offer one single IPv6 address instead of a /60 or /64 prefix.

2009/11/25

Number of friends in a facebook account

I recently found that there is a limit on the number of friends in a facebook account. The limit is set at 5000. My question is if someone opens two accounts, how can the status update be propagated to friends of both accounts.

Still on facebook. The word "unfriend" now appears in Oxford dictionary. It has the meaning of pulling out a friend from the facebook friend list. Personally, I think "defriend" might be better. I can quote good examples of starting with de to mean doing something opposite.

2009/11/11

Facebook scam

I received serveral email about Facebook scam for stealing login information:

"Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.

Click here to update your account online now.
If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team"

The sending domain is "facebookmail.com". This domain is very questionable and is registered with malicious intent. Just wonder why domain name registra can not deny the registration.

2009/11/10

40th anniversary of Sesame Street

Any organizations remind us about the 40th anniversary of Sesame Street. Google does.

Look at this lovely picture in Google page:

2009/11/05

rsync to download Fedora Core iso image

More and more mirror sites of Fedora Core offer the rsync capability for getting the iso images. It is therefore necessary for me to practise downloading by rsync. I have tried the following with success :

#rsync -zvP rsync://fedora.mirrors.hkt.cc/fedora/releases/11/Fedora/i386/iso/Fedora-11-i386-DVD.iso .

Note the -P attribute which is quite important to monitor progress of transfer and the estimated time remaining.

2009/11/03

HKDNR now supports IPv6 glue records

Last Friday, I was informed by the IT Manager of HKDNR that the .hk TLD nameservers can now support the hosts with IPv6 addresses as glue records. I have tetsted the glue functionality and the results were perfect.

This is a major development in the DNS infrastructure. By allowing IPv6 glue, HKDNR is helping the Internet community in Hong Kong to better prepare for transition to IPv6. By now, I can tell my friends that Hong Kong is not far lagging behind in IPv6 preparedness.

2009/10/26

naming of Windows 7

Microsoft said Windows 7 is named because it is the 7th generation of Windows OS. Can anyone still recall all the previous six generations. It's not difficult. I can say they were Windows 3, Windows 95, Windows 98, Windows 2000, Windows XP, Windows Vista.

Still history again, TCP/IP stack was added starting from Windows 95. IPv6 stack was available in Windows 2000, Windows XP and Windows Vista but Windows 2000 and Windows XP require users to install and enabled it. For Vista, IPv6 is enabled by default. Of course, as Windows 7 is an improvement over Windows Vista, all IPv6 features are retained.

Wa.., the photo below is interesting, a burger with 7 layers of beef:

2009/10/20

HSBC's dual-password logon

Recently, I was shocked by the HSBC's dual password logon to its Internet banking services. For this scheme, the authentication page requires users to give the first password in the exact string sequence while for the second password, users are only required to input 3 characters and the positions of which characters to be inputted are random. I have a screen capture to illustrate.



Malware-infected keyloggers can capture all the key strings including usernames, 1st password, and any inputted characters of the 2nd password. What a hacker needs to do is to find the position in the screen and inject the known characters in order to get access. I am of the view that this protection scheme is much weaker than using security tokens. HSBC advises that this is to give more convenience to the users given that some users might not bring their tokens with them all the time.

I myself would not use this kind of authentication.

2009/10/18

Safe Internet banking by using Linux live CD

Some security experts have suggested to use Linux live CD for safe Internet banking. This makes good sense considering that malware is targeted to steal data from Windows-based systems and won't load or work when the user is booting from LiveCD.

Some might argue that not many people have understanding of burning iso image of Linux live CD and use it for a single application. If that is the case, they should consider using an Apple Mac PC instead of Windows PC.

2009/10/15

IPv6 Proxy

I have added one of my website to an IPv6 Proxy (http://www.ipv6proxy.nl/).

If a website is configured with an IPv4 address, there is no way hosts in the IPv6only cloud can access this web site. IPv6 Proxy turns out to be a solution.

The IPv6 proxy listens to 2a00:d00:ff:131:94:228:131:131 and it will fetch website contents over IPv4 and then pass to the visiting IPv6 browser clients. The website owner is required to add an AAAA record 2a00:d00:ff:131:94:228:131:131 to the website such as:

"www.example.com. 1H IN AAAA 2a00:d00:ff:131:94:228:131:131"

The last step is of course to register the website name with the proxy.

This is a cool application from an IPv6 implementation perspective.

2009/10/09

Facebook Extended Maintenance

For the past 5 days, I was not able to login facebook. Today, the situation had not changed but Facebook tried to give a different error message:

"Sorry, due to site maintenance your account is unavailable at this time. We are currently experiencing an extended site maintenance issue that is preventing some users from accessing their accounts or Pages they may administer. Rest assured that your account has not been deleted or compromised. Your original account will be restored as soon as possible so there is no need to create a new one. We sincerely apologize for any inconvenience you've encountered while attempting to log in to Facebook during this time.

You can stay updated with the progress of this bug by visiting the Help Center."

I am sure that a huge number of account holders could not wait for so many days and they have already created new accounts. Sigh... the proper message prompt comes a bit too late.

2009/10/08

Setting up 6to4 tunnel in FC10

My FC10 server is binded with the IP address 202.81.252.116. With this IPv4 address, the whole 2002:ca51:fc74::/16 range of IPv6 address belongs to me. Yesterday, I arbitrary took the first host in the range and therefore the IPv6 address for my server in 6to4 tunnel mode became 2002:ca51:fc74::1/16. Then I performed the following:

#ip tunnel add 6to4 mode sit remote any local 202.81.252.116
#ip link set dev 6to4 up
#ip addr add 2002:ca51:fc74::1/16 dev 6to4
#ip -6 route add 2002::/3 via ::192.88.99.1 dev 6to4 metric 1026

Afterwards, ifconfig showed the IPv6 address 2002:ca51:fc74::1/16 was binded to a 6to4tunnel and ping6 ipv6.google.com was successful. Great learning experience.

2009/10/01

check ssl private key and public key are matched

This is a tough question. How can I verify a SSL private key (e.g server.key) and a public key (e.g. server.crt) are matched. The steps are :

#openssl x509 -noout -text -in server.crt

Look for the string of modulus which is 1024 bit and then

#openssl rsa -noout -text -in server.key

Again, look for the string of modulus which should match exactly that of the previous step for the public key.

A sample of the modulus of my server certificate is as follows:

Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a9:47:4f:dc:2d:20:4d:90:50:40:d5:e5:8c:09:
f3:fb:ca:03:b3:4c:aa:7d:29:b9:37:fb:cc:01:a4:
87:1a:3a:72:0c:c4:fd:7a:35:a0:2d:14:13:63:4c:
a9:16:0b:52:c7:ef:67:ee:29:cc:a5:29:4d:8d:b7:
eb:0f:52:35:11:12:2c:9e:a6:53:6b:d9:80:5b:da:
ba:1b:91:29:2e:08:7b:97:a3:73:bf:77:b1:50:dc:
75:14:d4:42:c2:4b:a4:5b:68:a2:22:bc:d7:72:97:
42:95:ed:a0:32:7d:bf:29:53:12:9a:ea:f0:97:6f:
d2:c8:95:8a:c6:a4:6d:23:59
Exponent: 65537 (0x10001)

2009/09/24

DVD to iso image

Suppose I have a DVD of FC10, how can I convert it into an iso image and then burn more DVD. The way to do it is to "dd if=/dev/hdc of=/home/FC-10.iso".

No doubt I need to use the above skill several times a year. Pretty practical and simple to understand if you have tried dd before. Of course, if I have two DVD read/write drives, I can do a read from one drive and then write to another. But that straight forward way of getting things done is not what I want.

2009/09/20

Grub failure in FC10

Yesterday, I tried to upgrade a server from FC9 to FC10. The upgrade process was ok. However, grub did not boot up. Some hints from searching redhat suggested to use FC9 dvd to rescue. The steps are as follows:

- Boot with FC9 DVD, select rescue mode
- chroot /mnt/sysimage
- grub-install /dev/sda
- reboot again to fix the problem

It worked and the grub was rescued.

I have to memorize these steps. The same problem might happen again when I upgrade FC10 to FC11.

2009/09/19

monitor the progress of dd

I have to use Helix to clone a hard disk by dd. As usual, the format is:

#dd if=/dev/hda of=/dev/hdc

However, no progress can be monitored.

I open another terminal window and by means of top, I find the PID of dd. Next,

#kill -SIGUSR1 pid

Now switching back to the terminal that is running dd, the progress of how many bytes have been written on the destination drive is disclosed.

2009/09/17

man toilet

The most interesting command in Unix/Linux is "toilet". If I want to check the usage, I will interrogate by manual page. This gives another funny combination of "man toilet".

Of course, we don't have such funny things in Windows.

2009/09/16

facebook passed 300 million users

Congratulation to Facebook

Facebook founder Mark Zukerberg said that facebook has got 300 million users. In addition, facebook starts to make money ahead of schedule. Profit can be seen in 2010.

For sure, facebook is the world biggest social networking platform.

2009/09/12

Global IPv6 routing table passed 2000 prefixes

According to Hurricane Electric, the global IPv6 routing table has passed 2000 IPv6 prefixes. This shows a steady growth in the deployment of IPv6 backbones.

Other useful data about IPv6 infrastructure are as follows :

- There are now over 1500 IPv6 glue records in the TLD zone files. The
addition of IPv6 glue records at the TLD level is a good gauge of
hosting infrastructure IPv6 growth, since it indicates operational
commitment on the part of individual nameserver operators.

- Top Level Domains (TLDs): 280, TLDs with IPv6 nameservers: 223, Percentage of TLDs with IPv6 nameservers: 79.6%

- TLDs with nameservers with IPv6 glue in the root zone: 170, Percentage of TLDs that have nameservers with IPv6 glue in the root zone: 60.7%

I do have two domain names with IPv6 glue records at the .com TLD. My contribution is therefore 2 /1500 or 0.13 %.

2009/09/10

Email scam

For almost 3 years, I have not received any email scam. Then, this week, I received one.

******** Quote ********
From: kone_musa1@cantv.net

Dear Friend (Being A Foreigner),

With your Profile today I am satisfied that you have an understanding of the need for absolute secrecy in this pending project, hence my firm belief that I can count on your total support and confidentiality.

I am Mr Kone Musa, A staff of one of the commercial bank in COTE D'IVOIRE.I am pleased to get across to you for a very urgent and profitable business proposal, though I don't know you neither have I seen you before but my confidence was reposed on you.A contract file worth ( US$6.350.000) Dollars with the name has been noticed lying waste in our contract and account department.Please Get back to me for more information.

Thanks

From Kone Musa

******* End of Quote ********

2009/09/04

Google Sorry Page

Two days ago, I was frustrated to see the following page from Google.



My PC is free of viruses, malware or spyware. Most important of all, I am human. Why Google stop me from using the service.

2009/09/03

WEP deadline

Version 1.2 of the PCI Data Security Standard mandates that no new WEP networks can be installed after March 31, 2009, and all existing WEP installations must be decommissioned by June 30, 2010. Today, wireless networks are widely used in stores and retail operations, but not all are secured. The WEP deadline is definitely an important milestone for the the information security industry.

2009/08/30

Math CAPTCHA

Late last year, there were reports that hackers could successful pass CAPTCHA image test by using sophisticated character reading /recognition techniques. With this trend, software developers try to make CAPTCHA test more difficult to break by the introduction of MATH CAPTCHA.

The imges below are from some websites to protect against input by automatic scripts:








The web site will ask what is the result of the math problem shown in the image above?

It seems MATH CAPTCHA tends to offer higher level of protection as it requires human mindset to solve a math equation. But sooner or later, hackers will make it useless again.

2009/08/28

Small letters be used in IPv6 addresses

I have notice that it has become a norm in the industry NOT to use capital letters when dealing with ABCDEF characters in IPv6 addresses either in documentation or in actual DNS entries. For instances:

2001:371::ABCD should be avoided and
2001:371::abcd should be preferred.

Actually, the use of small alphabets will cause more reading errors such as a, b, c and d all confusing with 0. On the other hand, capital letters tend to cause less reading errors (just B and D confusing with 8 and 0). However, small letters are chosen because the majority of named servers are operated under Linux and Unix OS which are case sensitive and traditionally small letters are used in these OS.

2009/08/26

Phishing filter and visual indication of EV SSL Certificate

One of my IE7 browsers had phishing filter disabled for faster web access without going through to US Microsoft's site for checking of domain against phishing. However, a problem arose. Whenever I accessed secure web sites (https://www.isaca.org/ or https://www.hsbc.com.hk/) signed with an EV (Extended Validation) SSL server certificate, the address bar could not turn green. On careful check, the problem was related to phishing filter disabled. So what should I choose, having green address bar of EV SSL or faster access without phishing filter ? I picked the latter.

2009/08/25

wild card SSL certificate

I find one organization in Hong Kong using wild card SSL certificate, HKCERT. The issue statement states the certificate is issued to the domain *.hkcert.org as shown below:



A note on the cost. Quoting from Thawte, the annual fee of a wild card certificate is US$799 whereas that of a standard certificate is US$249.

2009/08/24

What interfaces should be eliminated in modern netbook ?

Netbook must be slim, light weight, handy consuming as low power as possible. To further reduce the size of and power drain of netbook, I think at least LAN socket and VGA outlet can be eliminated. For LAN, it is because netbook computers are being used in a mobile environment. The exisiting bundling of HSPA, WiFi and Bluetooth is sufficient for wireless access. As for VGA out connector, this has no useful purpose at all unless you use it for presentation. Besides, the dimension of the VGA connector will defeat the slim design of netbook. It should be eliminated for consumer and convenience sake.

After killing the two interfaces, there should be a reduction in power drain.

2009/08/17

變形金剛主角在國內的譯名很攪笑

變形金剛主角在國內的譯名很攪笑 :

香港譯名 國內譯名
Autobots 博派 汽車人
Decepticon 狂派 霸天虎
Optimus Prime 柯柏文 擎天柱
Megatron 麥加登 威震天
Starscream 星星叫 红蜘蛛
Fallen 科倫 墮落者
Devastator 破壞者 大力神


最莫名奇妙的要算是 Starscream,它外形不像蜘蛛,身體亦非紅色,何以被稱為红蜘蛛呢?

2009/08/05

Auto SSH login

I have tried using puttygen.exe to generate private and public key pair for SSH auto login via putty. The public key will need to be uploaded to the directory /home/user/.ssh/ and renamed as authorized_keys. There is a need to use vi to edit the public key file to add ssh-rsa in the beginning and remove carriage return and new line. Afterwards, one has to config putty to authenticate a login user by private key. The steps are quite confused but fortunately they are all clearly spelt out in the URL http://www.codelathe.com/blog/index.php/2009/02/20/ssh-without-password-using-putty/.

The use of private key for auto login also works for sftp. The sftp client that I use is WinSCP.

2009/08/04

SSL virtual web hosting

I need to jot down some hints why SSL/HTTPS support for name-based virtual hosts is not possible.

It is because of the SSL protocol in itself. For establishing the connection between the client and the server, the SSL parameters are negotiated first. The client is required to know which server is to connect to which can not happen at the moment because the host: header information has not been exchanged to determine which virtual host to send the request to. This is a “chicken and egg” issue and is the reason why each SSL-enabled Web site must be configured on a unique IP address.

The good news, of course, is availability of address should not be a concern in the case of IPv6.

2009/07/19

dig for Windows XP

I can't imagine the power and convenience of having dig in Windows XP. It really happened. I downloaded dig for windows from "http://serghei.net/windows/dig/" and then followed the instructions to edit c:\dig\resolv.conf to point to my resolver and then copy this file to c:\windows\system32\drivers\etc\resolv.conf.

Apart from dig, what I get additionally is whois and host utility. By now, I do not need to rely on Linux box to perform dig, host and whois.

2009/07/12

babe face in IPv6 address

Interesting ! The network administrator of go6.si assigned an IPv6 address with the last 8 hex digits as babe face.

[root@test-server ~]# host -t aaaa go6.si
go6.si has IPv6 address 2a02:e8:0:1::babe:face

I can think of another one in the last 8 hex digits. How about "bad:cafe" ?

2009/07/10

Passing IPv6 Certification for the rank of Sage

The IPv6 Certification for the rank of sage required me to have IPv6 glue records for the IPv6 name servers in the Top Level Domain Registry. After some investigations, I found out that HKDNR did not allow me to put IPv6 glue records (IPv6 addresses for ns1.bya,org.hk and ns2.bya.org.hk) to my name server records. This certainly stopped me to complete the sage test.

I switched to godaddy.com. It permitted me to add hosts for name servers with both IPv4 and IPv6 addresses. I thought it might take 2 days to propagate the added IPv4 and IPv6 glue records. Quite strange, the new records were propagated to all .com servers within 2 hours.

With all these completed, I login to Hurricane Electric and attempted the sage test again. I was able to pass as all the 13 .com authoritative name servers can show the glue records prepared by me.

I shall never forget the importance of putting glue records of name servers by means of "add host" function in the domain name registration interface.

2009/07/03

virtual email domain in postfix

I have tried virtual email domain in postfix. It is very easy. To add abc.com as a virtual email domain, just edit the following line in /etc/postfix/main.cf

mydestination = $myhostname, localhost.$mydomain, localhost, abc.com,

Compared with Sendmail, Postfix is very user-friendly and easily configurable.

2009/07/02

Miredo - Teredo Client in Linux

I succeeded in getting Miredo, the Teredo client for Linux and Unix, to work on my Centos 5.2. The processes as I can recall are as follows:

1. get the rpm package of miredo-1.0.6-1.el5.rf.rpm

2. rpm -ivh miredo-1.0.6-1.el5.rf.rpm

3. Edit /etc/miredo.conf

ServerAddress teredo.remlab.net

4. Add a line "miredo" in /etc/rc.d/rc.local for auto-start at boot up

5. Add a line "ifconfig teredo" in /etc/rc.local for auto-start at boot up

Very stable performance. I am addicted.

The Server teredo.ipv6.microsoft.com should not be used. I guess Microsoft Teredo Server might not support Teredo client in Linux.

2009/07/01

Passing IPv6 Certification for the rank of guru

Last night, I decided to attempt the IPv6 test for the rank of guru granted by Hurricane Electric. It required me to build two IPv6-based name servers and answer AAAA queries from IPv6 addresses only. Of course, the NS records of the authoritative name servers must also have associated AAAA record. It was not an easy one. I spent 6 hours to get all problems resolved.

Next step is to enter the sage test. The test will check to see if the domain names I submiited have IPv6 glue at the registrar. I am not quite sure how to prepare and proceed.

2009/06/27

IPv6 address assigned to 6to4 tunnel interface

I have used PPPoE to obtain a public IP address 218.103.230.241 (da67:e6f1). Upon activating the 6to4 tunnel interface on XP, the following IPv6 addresses are assigned :

IP address: 2002:da67:e6f1::da67:e6f1

Default Gateway: 2002:c058:6301::c058::6301

The IP address of the interface can be understand easily which append 218.103.230.241 in hex format after prefix 2002. As for the GW, c058:6301 translate to 192.88.99.1 which is an anycast address for 6to4 relay router. On tracert, it goes to the node of Hurricane Electric established in HK:

Tracing route to 192.88.99.1 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 192.168.73.1

2 207 ms 228 ms 114 ms pcd-hhm23-2-rx.netvigator.com [203.218.199.254]

3 226 ms 208 ms 111 ms n219076123050.netvigator.com [219.76.123.50]

4 18 ms 17 ms 56 ms 218.102.21.66

5 67 ms 78 ms 100 ms hurricaneelectric-RGE.hkix.net [202.40.161.158]

6 26 ms 20 ms 62 ms 192.88.99.1



Trace complete.

2009/06/21

Teredo IPv6 address

I got the following IPv6 address from Teredo on Windows XP:

2001:0:cf2e:3096:0:78f8:24b0:fed5

The command to activate teredo interface is "netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com".

On analysis, 2001:0::/32 is the prefix. Teredo server is provided by Mircrosoft at 207.46.48.150 (cf2e:3096) and the client gateway of NAT is 219.79.1.42 (24b0:fed5). The flag contents are 0 and the port number of the client port is 34567. All these can be found out by ipv6calc -i -q 2001:0:cf2e:3096:0:78f8:24b0:fed5.

One question I have in mind is how can the router serving the public teredo server announce routing prefix properly given that differnet IPv4 addresses can request the services. It is not difficult at all since client addresses are in the least signicant part. Just announce 2001:0:cf2e:3096::/64 will be satisfactory.

2009/06/20

Virtual web hosting with IPv6 address

The following is the directive of virtual web hosting in Apache running on an IPv6 address:

NameVirtualHost [2406:a000::6:218]:80

< VirtualHost [2406:a000::6:218]:80>
ServerName ipv6.warrenkwok.com
DocumentRoot /var/www/html/ipv6-warrenkwok
< /VirtualHost>

Again, the extra space after < should be removed.

2009/06/18

Displaying visitor's IP address

This is a single line script to display the visiting IP address to a web site:
< ?php
echo $_SERVER['REMOTE_ADDR'];
?>

It works for both IPv4 and IPv6 addresses.

[Note: the extra space been left arrow and ? should be removed. I purposely made a space for deceiving html.]

2009/06/16

ff02::1 and ff02::2

On a Linux machine, I tried "ping6 ff02::1%2" and a large number of IP addresses responded to it. This is the neighbour discovery packet so all nodes with IPv6 enabled will answer.

Secondly, I tried "ping6 ff02::2%2" and only one single IP address responded to it which was the default router in the network. In fact, ff02::2 is the router discovery packet.

Those who are new to IPv6 will find them lot of funs.

2009/06/15

Random identifier in Vista

Unlike XP which uses EUI-64 format for idenitifier in IPv6 assignment of link-local address, Vista by default randomizes the last 64 bits for privacy protection. It can be disabled by the following command:

c:\netsh interface ipv6 set global randomizeidentifiers=disabled

To turn it on again, the command is to change from disabled to enabled.

c:\netsh interface ipv6 set global randomizeidentifiers=enabled

2009/06/11

迪士尼樂園可恥

當政府宣布小學及幼稚園停課,並呼籲市民不要去人多聚集的地方時,迪士尼樂園竟推出本地小學及幼稚園學生優惠,以250元購買本月通行門票。迪士尼樂園此舉只顧贏利,妄顧公眾安全,實屬可恥。

2009/06/03

Viewing files on tape archive

I wanted to check the list of files of a SCSI 800GB tape archive. The command I issued was "tar -t /dev/st0". Nothing was returned. Another command "tar --list /dev/st0" was made but gave the same result.

The problem is that for tar command, the parameter "-f" is extremely important. I should use "tar -tvf /dev/st0".

2009/06/02

ipv6calc

ipv6calc gives me an easy way to convert 48-bit MAC address to 64-bit EUI used as interface identifier in IPv6 address:

[root@localhost ~]# ipv6calc --action geneui64 --in mac --out eui64 00:15:F2:BC:03:8C
215:f2ff:febc:38c

Another application is to query the type of an IPv6 address:

[root@localhost~]# ipv6calc -q -i 2001:200:0:8002:203:47ff:fea5:3085
Address type: unicast, global-unicast, productive
Address type has SLA: 8002
Registry for address: APNIC
Interface identifier: 0203:47ff:fea5:3085
EUI-48/MAC address: 00:03:47:a5:30:85
MAC is a global unique one
MAC is an unicast one
OUI is: Intel Corporation

Great, it is found that the IPv6 address 2001:200:0:8002:203:47ff:fea5:3085 is assigned by auto-configuration.

2009/06/01

problems of internal IP + NAT in mobile devices

Some mobile operators are assigning 10.X.Y.Z IP addresses to mobile devices and use NAT to connect to the Internet. There are at least 3 problems caused by this approach:

1. No end-to-end connectivity is guaranteed. Some VPN services might fail.
2. NAT increases the battery drain due to some packets utilized to check the status of devices.
3. NAT can offer less than 65535 ports in use. If a mobile device is running P2P applications with about 100 ports open, then the total number of device that can be supported is 650 on a network segment.

IPv6 could solve all these problems. All mobile operators should assign IPv6 addresses to their customers.

2009/05/30

IPv6 tunnel broker

Some years ago, I could connect to the IPv6 world over my IPv4 address by way of a free tunnel broker service. However, the service closed down in four years ago.

I have now used the tunnel broker of broker.aarnet.net.au in conjunction with gateway6 client which is basically a tunnel setup protocol (TSP) client. My new IPv6 address is :

2001:0388:f000:0000:0000:0000:0000:03ab

which could be shortened to :

2001:0388:f000::3ab

By the way, if we browse website by IPv6 addresses like :

2001:200:0:8000::42

It is necessary to use bracket to embrace the IP address:

http://[2001:200:0:8000::42]

2009/05/28

how to find if a domain name is cached in a resolver

I have a task to test if a domain name is cached in a resolver. Of course, nslookup can not help and I have to turn to the more powerful dig.

#dig @1.2.3.4 www.cnn.com +norecurse

If the domain www.cnn.com has already been cached, the results will show the corresponding A records. However, if it is not, the results give the NS records of the 13 rootname servers.

2009/05/21

職業病

某天在一份文件中看見 WED,一時間想不起是那一個政府部門的簡寫。思前想後,民航處是 CAD、環保處是 EPD、消防處是 FSD 、社署是 SWD、渠務處是 DSD等,何來有個部門叫 WED。在百思不得其解之際,終於給我想通了, WED 原來 WEDNESDAY 的簡寫,亦即是星期三。看來以後不要把 ??D 聯想到是政府部門。

2009/05/20

國金二期 = 黑夜之神

黃昏乘渡輪回家,船上一位媽媽指着國金二期,問身邊的兒子這座大厦的名稱,這小朋友說是「黑夜之神」,鄰座的成年人都笑在嘴裡。你們這一代的小孩,應多留意身邊的事物,不要再沉迷於蝙蝠俠系列的電影裡。

2009/05/19

6-antenna access point

This is the first time I have ever seen a 6-antenna access point. The model is Motorola AP-7131 which can support 802.11a,b,g and n. When running on 802.11n 3x3 MIMO, the maximum speed can be up to 600 Mbps.




But don't be excited. This is an enterprise-grade access point. It is not a consumer product. Average home users might not have the chance to buy or use it.

2009/04/30

3G logo of China Mobile

I was surprised to see the 3G logo of China Mobile.


The design is absolutely poor using a Tai Chi sign with an open end. Just can not figure out what is the relationship of Tai Chi and high speed 3G communications. The movement in Tai Chi is static and slow. It does not match with the pace of 3G mobile. Another frustration is the colours in the logo are dull.

I believe some university students who have studied visual art and design can come up with something much better.

2009/04/29

Universal Mobile Phone Charger

The GSM Association, cell phone manufacturers and mobile carriers are now pushing for the adoption of universal mobile phone charger. The global standard is not available yet, but from an engineering point of view, this is just an easy task with simple basic technologies involved. It is expected that by 2012, the majority of new handsets will support the new charger.

I had this idea more than 10 years ago. Sounds good to all phone users. It also save the environment because huge number of old chargers are dumped in landfill when people change the models of their cell phones. The chargers are working and are in good condition.

This comes really a bit late. If the initiative were started some 10 years ago, we would have been benefited from lower cost handsets and a better environment.

2009/04/12

Google migrated to IPv6

Google has recently announced that it took a small core team of engineers, working on a part time basis, to complete migrating its infrastructure to IPv6 in 18 months This is a great achievement indeed. Google is a pioneer in the deployment of IPv6. The news also boosted significant confidence to network service providers that moving to IPv6 is not really difficult.

2009/04/01

Conficker checking date and time

It is known that if users try to adjust the date of Conficker infected Windows PCs to avoid triggering 1st April, it does not work. The reason is that Conficker will connect to large web sites and from the HTTP header, it knows the exact date and time.

A question arises. Is it necessary to give date and time in HTTP header. If it serves no useful purpose, it should be omitted since hackers can use the date and time to trigger attack sequences.

2009/03/27

China blocked Youtube


China has taken extreme measure to block access to Youtube in the whole country. This is unnecessary. This ultimate move is just like burning down a farm because of a dead chicken found inside the farm.

China can just request Youtube to remove video clips related to beating of monks and Tibetan. Youtube has in the past removed copyrighted videos from its website.

2009/03/26

Firewalls should not block DNS traffic over TCP port 53

Some firewalls explicitly allow blocking DNS traffic on TCP port 53. This is not a protective feature but rather it causes a lot of troubles. System administrators should allow DNS traffic to go through TCP. Take MX records of hotmail.com as an example. Currently, the byte length is 511. If Hotmail adds an additional mail servers, the return on MX records will exceed 512 bytes which can not be handled by UDP. The transaction will logically fall back to TCP.

There are other cases of transactions using TCP, mainly queries on nameservers of top level domains and country code top level domains. When IPv6 and DNSSEC are popular, a large part of DNS tarffic will ride on TCP.

2009/03/25

Amazon Kindle



This week, I saw people reading electronic books on the Amazon Kindle ebook device inside MTR. The look is quite attractive. The quality of the displayed text is very equivalent to printed paper quality. Hong Kong is considering ebooks for school teaching. The technology should have a promising prospect in future.

2009/03/23

Cloning hard disk

My colleague tried to clone a 80G HD with a 250G replacement using clonezilla. After successful booting with the replacement HD, only 80GB were seen. The following steps were carried out to get back extra disk space:

1. fdisk /dev/sda
2. add a new extended partition which will then become /dev/sda3
3. add a new logical parition which will then become /dev/sda5
4. When fdisk -l is run, it show /dev/sda3 and /dev/sda5 are created.
5. format the /dev/sda5 by mkfs.ext3 /dev/sda5 (*note : /dev/sda3 can not be formatted)
6. assign a mount point to the partition /dev/sda5
7. Add the new mount point to fstab

After system reboot, all added new hard disk space can be seen.

2009/03/22

Number of rows in Excel 2007

There is one compelling reason for me to switch to Excel 2007. The number of rows that can be supported is increased from 65,536 to 1,048,576. Apart from rows, the
number of columns has also been expanded from 250 to 16,384. These features are great but their functions are still limited compared to a database system.

2009/03/20

dopdf

I have been looking for a free pdf software to convert documents to pdf format. Adobe Acrobat sold at US$500 per licence is too costly. I finally found dopdf to suit my need.



Every body needs pdf converter. I wonder why it is not included in office suite.

2009/03/19

IE8 officially launched today

Microsoft is set to make its Internet Explorer 8 browser available later today. I have tried the beta version for over 4 months. It does not impress me very much. It is not as good as Firefox or Flock. In the light of popularity of social networking, Flock is user-feature richer than any other browsers.

2009/03/18

公司若損失主要電腦數據

擇譯自維基百科

公司若損失主要電腦數據

・41%公司會立刻倒閉

・53%公司會於2年間結業

・只有6%公司可以繼續經營

2009/03/17

To juniper a network

In the Internet world, the term "to google" means to search the Internet by Google. How about to "juniper a network" ? I came across it when browsing some websites. At a first glance, it could mean applying a Juniper firewall into a network. Hey wait a moment, Juniper is not the number 1 firewall in the market. It should not be used in this way unless Juniper products are dominating the firewall market.

2009/03/14

Social networking is now more popular than email on the Internet

Nielsen Online has reported that social networking has overtaken email to become the fourth most popular online product. Social networks and blogs are used by almost two-thirds of all worldwide online users.

This comes as no suprise to me. Almost all of my friends have facebook accounts. We just need to use facebook to keep in touch with each other. Why bother to use email?

2009/03/13

Changing my 404 Error Handling Page

Recognizing the 512 bytes limitation of IE browsers in displaying 404 error handling pages, I decided to change my page as follows:

"Woops ... The page you request can not be found under the website www.----.net
Please make sure you type the URLs with correct spelling. Good luck, friend....
Since IE browser can not display error handling pages with less than 512 bytes, I have to add meaningless text to make this page displayable by IE browsers."

The text strings together with html tag add up to 514 bytes.

2009/03/12

IE can not display 404 error handling page less than 512 bytes

If you are a system administrator, you will configure 404 error handling page of individual websiites with a few lines say "the URL you typed can not be found in this web, please make sure it is not mistyped". However, IE browser will not display your error handling page if it is less than 512 bytes but with some preset html display of "The page can not be found". No such hassle is found in Firefox.

What IE should impose such a limit? It doesn't make any sense at all.

2009/03/09

DJB Award

Dan Julius Bernstein (DJB) offers award of US$1,000 to anyone who can find the first verifiable security bug in his djbdns and qmail.

He has acknowledged an exploitable security flaw in his djbdns software and has made good on a public security guarantee — to pay $1000 to the first person to publicly report a verifiable security hole in the latest version of the popular DNS name server.

For qmail, the award is still valid.

2009/03/08

My experiences with CSL pre-paid SIM card

I have one CSL prepaid SIM card which has already been expired on 29 Jan 2009. Though expired, I can still use the card to make outgoing calls and receive incoming calls. CSL gives customers several months for them to re-charge after the expiry. No such flexibility is offered by the other 4 operators in HK, namely Hutchison, SmarTone, PCCW-mobile and Peoples. For the other 4 operators, once a card is expired, the number will be forefeited and the residual value will be confiscated.

2009/03/06

衛詩 = 儍女 ?

衛詩唱紅了儍女,想不到她竟然自己做了儍女。

2009/03/04

Setting up SSH tunnel with PuTTY for web browsing

I need to use SSH tunnel to perform web browsing in WiFi hotspots. The procedures for setting up SSH tunnels with PuTTY are as follows:

Web Browser: Use proxy, connect to 127.0.0.1 port 7070



PuTTY: normal SSH login + tunnel



The tunnel should have local port 7070 forward to IP 1.2.3.4:3778 assuming there is a squid daemon running on IP 1.2.3.4 listening on port 3778.

2009/03/03

The power of rsync

Rsync is the most powerful command in Unix and Linux for backing up data. It uses checksums to compare local and remote files and only copy files that are different. This effective algorithm is highly efficient. That's why rysnc is used in many backup products.

For me, to back up a directory from one partition to another partition on a regular basis, I normally start a cron task to perform the following:

#rsync -av --delete /source /destination

The parameter --delete is to tell the destination directory to delete those files that are not longer present in the source directory.

Rsync can also be used for backing up between hosts. If ssh is used in conjunction, the transmission of data over Internet is secured.

2009/03/01

Wi-Fi Security Measure

Yesterday, I attended the Seminar on Protecting Your WiFi Network and Utilization. There were a lot of recommendations on securing WiFi which include using WPA2+AES, change default SSID, stop broadcasting SSID, MAC address filtering, and not to place APs near windows. Strange, no body mentioned stop DHCP allocation on APs and WiFi client must use a static IP address to connect while the network address is difficult to predict like 10.97.77.0/24. Even an attacker finds out the key, without being allocated proper IP address and gateway, the attacker can still not get through the AP to connect through other people's network.

2009/02/25

deleting a large number of files

I normally use the following to delete a large number of files residing in a directory as there is an upper limit rm can handle:

#find . -name * | xargs rm

Sometimes, if the number of file is so huge, the above might not 100 % workable. I have to give myself a backup option:

#find . -type f -exec rm {} \;

Not easy to remember the syntax but I need to memorize it for system administration.

2009/02/20

IIS Server Probe

I saw these lines on my server log:

/samples/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/scripts/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/cgi-bin/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/vti_bin/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/samples/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/vti_cnf/winnt/system32/cmd.exe?/c+dir HTTP Response 302
/vti_bin/winnt/system32/cmd.exe?/c+dir HTTP Response 302

Apparently, a bad guy was trying to probe on old vulnerabilities of IIS. The bad guy was not very professional. He should have performed web server OS fingerprinting before launching the probe.

2009/02/15

Iridium satellite crash


I feel sad about one of the operating Iridium satellites crashed by an malfunctioning Russian satellite. Back in 1999, I worked with Iridium LLC, HKTI and Hong Kong Police to facilitate Iridium users in Hong Kong could make emergency calls with the telephone numbers of "112","999" and "852 999".

Lets hope countries which have the technical capability to fire rockets (USA, China and India etc) could mobilize space craft to clear away orbital debris even though this has no commercial profit.

2009/02/12

DNS DDoS attacks

Great ! I had the chance to see DNS DDoS taking place.



A zombie was using faked source IP address 89.149.221.182 to query the NS of root domain. The hidden attacker was trying to find a open recursive resolver to flood packets to the victim with IP address 89.149.221.182. My resolver has open recursive prohibited so the requests were denied. Actually, if the target resolver had open recursive not closed, for each query packet with 45 bytes, it returned an answer with about 400 bytes. Hence the amplification factor is great, almost 10 times.

Though the action taking place was harmless to my server and the loading was light, yet it generated about 10k lines everyday in log file. I have to use iptables to block udp with packet length 45 bytes which is the exact packet size of performing ns query on root domain, syntax as below:

#iptables -I INPUT -p udp --dport 53 -m length --length 45 -j DROP
Bingo, it blocks as expected.

2009/02/11

.hk and .cn ccTLD servers

There are now 11 DNS servers for the .hk ccTLD which are placed in HK, Taiwan, Australia and USA. We still have 2 more servers to use before resorting to anycast technology for developing .hk server instances in other places.

Due to the increased business communications between HK and China and considering that Hong Kong is part of China, it will be beneficial to both HK and China if one set of .hk ccTLD DNS be located in mainland China. Likewise, HK can consider to host one set of .cn ccTLD server. At present, there are 6 sets of .cn ccTLD DNS in mainland China so at least there is a chance of setting up .cn ccTLD DNS in HK.

I have made the proposal to HKIRC.

2009/02/05

What should be removed from a PC motherboard

Some thoughts on what should be removed from a modern day PC motherboard:

1. Parallel printer port - printers are now driven by USB.

2. RS232 com port - we are in a broadband era, not more dial-up modem in use.

3. Game port - I have never used it before.

4. Floppy disk controller - 1.44 MB floppy disk can't even store one single file.

After removing all these redundant interfaces and circuitries, can we expect the prices of motherboards to drop. Not quite.

2009/02/02

Google marked all sites as dangerous

Google marked all sites as dangerous on 31 January for 40 minutes. The processes of why this happened is explained below :

1. Google maintains a list of known malicious sites
2. Somebody entered the URL “/” on that list
3. The list was pushed to all of Google's servers between 6:27 and 6:40 a.m.
4. Because / is found in any URL, all websites were flagged as potentially dangerous

Google made a critical flaw. Noting that human mistakes are unavoidable, Google should have performed health check of the new list in a test environment before updating to all production servers.

Did Google learn a proper lesson about “change control” ?

2009/02/01

PC still running Windows XP SP1

I always have the idea that office PCs or home PCs should be patched with Service Pack 3. I was wrong. Yesterday, I sat inside an Internet cafe and the PC that I used was running XP with Service Pack 1 (SP1). SP1 was released in September 2002. That said, patches had not been applied in the past 6 years.

Next time, when I go to that cafe again, I will not use the free PCs provided to check email.

\

2009/01/30

"v=spf1 -all"

In SPF, the setting of "v=spf1 -all" is interesting. I have found one domain to illustrate:

[root@~]# host -t txt wa-first.com
wa-first.com descriptive text "v=spf1 -all"
[root@~]#

That say, no domain or IP address can claim to use the domain wa-first.com in the "mail from" field of email address. If the domain is used for hosting web only and no email is involved, this is a proper setting with great protection.

2009/01/27

拯救黑妹

緊急呼籲,請支持拆牆,拯救黑妹.

2009/01/24

0x20 bit encoding

Security experts have recently proved that it is possible to mix upper and lower case spelling of domain name when sending out name queries. This protection scheme is called 0x20 encoding. See the diagram below.



To inject a fake address record into a resolver, an attacker must predict the random upper and lower case letter of the domain name in the query string. In the illustration above, the possibility of cache poisoning the resolver is reduced by a factor of 2 ^ 10 attributable to the use of 10 characters in “example.com”.

2009/01/13

secureCRT

For those who feel the layout of PuTTY being dumb and boring, they may consider to use secureCRT for SSH access. A lot of user-friendly functions are provided in the tool bar and menu bar.

2009/01/08

Difference between /dev/st0 and /dev/nst0

I use a SCSI tape drive to perform backup of data and the drive has a generic device name of /dev/st0. /dev/st0 always go back to the beginning of the tape after performing operations. Based on this feature, /dev/st0 only allows one archive to be be created (tar cvf /dev/st0 data) and all subsequent data must be added to the single archive by appending new data using the syntax of “tar rvf /dev/st0 newdata”. How about multiple archives on a tape ? The answer is /dev/nst0 which will not rewind tape to the beginning, thus new archives can be created one after the other.

2009/01/06

IE market share drop below 70 %

Net Application has published the latest market share of various browsers.




IE market share has dropped below 70 %. Great ! This is a good sign noting that more people are switching to Firefox which is more secure.

2009/01/05

No CAPTCHA verification required when posting message in blogger.com

Google's blogger.com has removed the trouble of requiring bloggers to type characters in CAPTCHA images when they post messages. This is effective considering that bloggers have already gone through authentication before they can login.

However, I like to warn Google that CAPTCHA verification should still be required if someone wants to put comments on blog. Otherwise, automated scripts could pollute the blogosphere by placing blog spam.

2009/01/04

resolving nameservers and forwarders

I made some major changes to my resolving nameserver.
Instead of doing recursive queries for trusted IP addresses, I switched to use the two DNS servers by my serving upstream ISP as forwarders. The added syntax in /var/named/chroot/etc/named.conf is as follows :

options {
directory "/var/named";
forwarders { 1.2.3.4; 2.3.4.5; };
forward only;
};

Do I need to worry about one forwarder fails and the query just got stuck until time-out ? The answer is no. One beauty of Bind 9 is that forwarders are not selected in the order listed or in a cyclic manner. Instead, the nameserver will select which the forwarder to query first based on roundtrip response time. If one forwarder fails, the nameserver will select the remaining working one.

2009/01/03

Logo of CITEL


The logo of CITEL (Inter-American Telecommunication Commission) is the most complicated I have ever seen. With so many colours and so much details, how could the logo be printed in business cards or letter heads. By the way, putting all national flags together could not have any reference to telecommunication. At most, this could only mean some countries jointly together.