2009/10/26

naming of Windows 7

Microsoft said Windows 7 is named because it is the 7th generation of Windows OS. Can anyone still recall all the previous six generations. It's not difficult. I can say they were Windows 3, Windows 95, Windows 98, Windows 2000, Windows XP, Windows Vista.

Still history again, TCP/IP stack was added starting from Windows 95. IPv6 stack was available in Windows 2000, Windows XP and Windows Vista but Windows 2000 and Windows XP require users to install and enabled it. For Vista, IPv6 is enabled by default. Of course, as Windows 7 is an improvement over Windows Vista, all IPv6 features are retained.

Wa.., the photo below is interesting, a burger with 7 layers of beef:

2009/10/20

HSBC's dual-password logon

Recently, I was shocked by the HSBC's dual password logon to its Internet banking services. For this scheme, the authentication page requires users to give the first password in the exact string sequence while for the second password, users are only required to input 3 characters and the positions of which characters to be inputted are random. I have a screen capture to illustrate.



Malware-infected keyloggers can capture all the key strings including usernames, 1st password, and any inputted characters of the 2nd password. What a hacker needs to do is to find the position in the screen and inject the known characters in order to get access. I am of the view that this protection scheme is much weaker than using security tokens. HSBC advises that this is to give more convenience to the users given that some users might not bring their tokens with them all the time.

I myself would not use this kind of authentication.

2009/10/18

Safe Internet banking by using Linux live CD

Some security experts have suggested to use Linux live CD for safe Internet banking. This makes good sense considering that malware is targeted to steal data from Windows-based systems and won't load or work when the user is booting from LiveCD.

Some might argue that not many people have understanding of burning iso image of Linux live CD and use it for a single application. If that is the case, they should consider using an Apple Mac PC instead of Windows PC.

2009/10/15

IPv6 Proxy

I have added one of my website to an IPv6 Proxy (http://www.ipv6proxy.nl/).

If a website is configured with an IPv4 address, there is no way hosts in the IPv6only cloud can access this web site. IPv6 Proxy turns out to be a solution.

The IPv6 proxy listens to 2a00:d00:ff:131:94:228:131:131 and it will fetch website contents over IPv4 and then pass to the visiting IPv6 browser clients. The website owner is required to add an AAAA record 2a00:d00:ff:131:94:228:131:131 to the website such as:

"www.example.com. 1H IN AAAA 2a00:d00:ff:131:94:228:131:131"

The last step is of course to register the website name with the proxy.

This is a cool application from an IPv6 implementation perspective.

2009/10/09

Facebook Extended Maintenance

For the past 5 days, I was not able to login facebook. Today, the situation had not changed but Facebook tried to give a different error message:

"Sorry, due to site maintenance your account is unavailable at this time. We are currently experiencing an extended site maintenance issue that is preventing some users from accessing their accounts or Pages they may administer. Rest assured that your account has not been deleted or compromised. Your original account will be restored as soon as possible so there is no need to create a new one. We sincerely apologize for any inconvenience you've encountered while attempting to log in to Facebook during this time.

You can stay updated with the progress of this bug by visiting the Help Center."

I am sure that a huge number of account holders could not wait for so many days and they have already created new accounts. Sigh... the proper message prompt comes a bit too late.

2009/10/08

Setting up 6to4 tunnel in FC10

My FC10 server is binded with the IP address 202.81.252.116. With this IPv4 address, the whole 2002:ca51:fc74::/16 range of IPv6 address belongs to me. Yesterday, I arbitrary took the first host in the range and therefore the IPv6 address for my server in 6to4 tunnel mode became 2002:ca51:fc74::1/16. Then I performed the following:

#ip tunnel add 6to4 mode sit remote any local 202.81.252.116
#ip link set dev 6to4 up
#ip addr add 2002:ca51:fc74::1/16 dev 6to4
#ip -6 route add 2002::/3 via ::192.88.99.1 dev 6to4 metric 1026

Afterwards, ifconfig showed the IPv6 address 2002:ca51:fc74::1/16 was binded to a 6to4tunnel and ping6 ipv6.google.com was successful. Great learning experience.

2009/10/01

check ssl private key and public key are matched

This is a tough question. How can I verify a SSL private key (e.g server.key) and a public key (e.g. server.crt) are matched. The steps are :

#openssl x509 -noout -text -in server.crt

Look for the string of modulus which is 1024 bit and then

#openssl rsa -noout -text -in server.key

Again, look for the string of modulus which should match exactly that of the previous step for the public key.

A sample of the modulus of my server certificate is as follows:

Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a9:47:4f:dc:2d:20:4d:90:50:40:d5:e5:8c:09:
f3:fb:ca:03:b3:4c:aa:7d:29:b9:37:fb:cc:01:a4:
87:1a:3a:72:0c:c4:fd:7a:35:a0:2d:14:13:63:4c:
a9:16:0b:52:c7:ef:67:ee:29:cc:a5:29:4d:8d:b7:
eb:0f:52:35:11:12:2c:9e:a6:53:6b:d9:80:5b:da:
ba:1b:91:29:2e:08:7b:97:a3:73:bf:77:b1:50:dc:
75:14:d4:42:c2:4b:a4:5b:68:a2:22:bc:d7:72:97:
42:95:ed:a0:32:7d:bf:29:53:12:9a:ea:f0:97:6f:
d2:c8:95:8a:c6:a4:6d:23:59
Exponent: 65537 (0x10001)