"v=spf1 -all"

In SPF, the setting of "v=spf1 -all" is interesting. I have found one domain to illustrate:

[root@~]# host -t txt wa-first.com
wa-first.com descriptive text "v=spf1 -all"

That say, no domain or IP address can claim to use the domain wa-first.com in the "mail from" field of email address. If the domain is used for hosting web only and no email is involved, this is a proper setting with great protection.





0x20 bit encoding

Security experts have recently proved that it is possible to mix upper and lower case spelling of domain name when sending out name queries. This protection scheme is called 0x20 encoding. See the diagram below.

To inject a fake address record into a resolver, an attacker must predict the random upper and lower case letter of the domain name in the query string. In the illustration above, the possibility of cache poisoning the resolver is reduced by a factor of 2 ^ 10 attributable to the use of 10 characters in “example.com”.



For those who feel the layout of PuTTY being dumb and boring, they may consider to use secureCRT for SSH access. A lot of user-friendly functions are provided in the tool bar and menu bar.


Difference between /dev/st0 and /dev/nst0

I use a SCSI tape drive to perform backup of data and the drive has a generic device name of /dev/st0. /dev/st0 always go back to the beginning of the tape after performing operations. Based on this feature, /dev/st0 only allows one archive to be be created (tar cvf /dev/st0 data) and all subsequent data must be added to the single archive by appending new data using the syntax of “tar rvf /dev/st0 newdata”. How about multiple archives on a tape ? The answer is /dev/nst0 which will not rewind tape to the beginning, thus new archives can be created one after the other.


IE market share drop below 70 %

Net Application has published the latest market share of various browsers.

IE market share has dropped below 70 %. Great ! This is a good sign noting that more people are switching to Firefox which is more secure.


No CAPTCHA verification required when posting message in blogger.com

Google's blogger.com has removed the trouble of requiring bloggers to type characters in CAPTCHA images when they post messages. This is effective considering that bloggers have already gone through authentication before they can login.

However, I like to warn Google that CAPTCHA verification should still be required if someone wants to put comments on blog. Otherwise, automated scripts could pollute the blogosphere by placing blog spam.


resolving nameservers and forwarders

I made some major changes to my resolving nameserver.
Instead of doing recursive queries for trusted IP addresses, I switched to use the two DNS servers by my serving upstream ISP as forwarders. The added syntax in /var/named/chroot/etc/named.conf is as follows :

options {
directory "/var/named";
forwarders {;; };
forward only;

Do I need to worry about one forwarder fails and the query just got stuck until time-out ? The answer is no. One beauty of Bind 9 is that forwarders are not selected in the order listed or in a cyclic manner. Instead, the nameserver will select which the forwarder to query first based on roundtrip response time. If one forwarder fails, the nameserver will select the remaining working one.


Logo of CITEL

The logo of CITEL (Inter-American Telecommunication Commission) is the most complicated I have ever seen. With so many colours and so much details, how could the logo be printed in business cards or letter heads. By the way, putting all national flags together could not have any reference to telecommunication. At most, this could only mean some countries jointly together.