Late last year, there were reports that hackers could successful pass CAPTCHA image test by using sophisticated character reading /recognition techniques. With this trend, software developers try to make CAPTCHA test more difficult to break by the introduction of MATH CAPTCHA.

The imges below are from some websites to protect against input by automatic scripts:

The web site will ask what is the result of the math problem shown in the image above?

It seems MATH CAPTCHA tends to offer higher level of protection as it requires human mindset to solve a math equation. But sooner or later, hackers will make it useless again.


Small letters be used in IPv6 addresses

I have notice that it has become a norm in the industry NOT to use capital letters when dealing with ABCDEF characters in IPv6 addresses either in documentation or in actual DNS entries. For instances:

2001:371::ABCD should be avoided and
2001:371::abcd should be preferred.

Actually, the use of small alphabets will cause more reading errors such as a, b, c and d all confusing with 0. On the other hand, capital letters tend to cause less reading errors (just B and D confusing with 8 and 0). However, small letters are chosen because the majority of named servers are operated under Linux and Unix OS which are case sensitive and traditionally small letters are used in these OS.


Phishing filter and visual indication of EV SSL Certificate

One of my IE7 browsers had phishing filter disabled for faster web access without going through to US Microsoft's site for checking of domain against phishing. However, a problem arose. Whenever I accessed secure web sites (https://www.isaca.org/ or https://www.hsbc.com.hk/) signed with an EV (Extended Validation) SSL server certificate, the address bar could not turn green. On careful check, the problem was related to phishing filter disabled. So what should I choose, having green address bar of EV SSL or faster access without phishing filter ? I picked the latter.


wild card SSL certificate

I find one organization in Hong Kong using wild card SSL certificate, HKCERT. The issue statement states the certificate is issued to the domain *.hkcert.org as shown below:

A note on the cost. Quoting from Thawte, the annual fee of a wild card certificate is US$799 whereas that of a standard certificate is US$249.


What interfaces should be eliminated in modern netbook ?

Netbook must be slim, light weight, handy consuming as low power as possible. To further reduce the size of and power drain of netbook, I think at least LAN socket and VGA outlet can be eliminated. For LAN, it is because netbook computers are being used in a mobile environment. The exisiting bundling of HSPA, WiFi and Bluetooth is sufficient for wireless access. As for VGA out connector, this has no useful purpose at all unless you use it for presentation. Besides, the dimension of the VGA connector will defeat the slim design of netbook. It should be eliminated for consumer and convenience sake.

After killing the two interfaces, there should be a reduction in power drain.



變形金剛主角在國內的譯名很攪笑 :

香港譯名 國內譯名
Autobots 博派 汽車人
Decepticon 狂派 霸天虎
Optimus Prime 柯柏文 擎天柱
Megatron 麥加登 威震天
Starscream 星星叫 红蜘蛛
Fallen 科倫 墮落者
Devastator 破壞者 大力神

最莫名奇妙的要算是 Starscream,它外形不像蜘蛛,身體亦非紅色,何以被稱為红蜘蛛呢?


Auto SSH login

I have tried using puttygen.exe to generate private and public key pair for SSH auto login via putty. The public key will need to be uploaded to the directory /home/user/.ssh/ and renamed as authorized_keys. There is a need to use vi to edit the public key file to add ssh-rsa in the beginning and remove carriage return and new line. Afterwards, one has to config putty to authenticate a login user by private key. The steps are quite confused but fortunately they are all clearly spelt out in the URL http://www.codelathe.com/blog/index.php/2009/02/20/ssh-without-password-using-putty/.

The use of private key for auto login also works for sftp. The sftp client that I use is WinSCP.


SSL virtual web hosting

I need to jot down some hints why SSL/HTTPS support for name-based virtual hosts is not possible.

It is because of the SSL protocol in itself. For establishing the connection between the client and the server, the SSL parameters are negotiated first. The client is required to know which server is to connect to which can not happen at the moment because the host: header information has not been exchanged to determine which virtual host to send the request to. This is a “chicken and egg” issue and is the reason why each SSL-enabled Web site must be configured on a unique IP address.

The good news, of course, is availability of address should not be a concern in the case of IPv6.