CISSP won the "Best Professional Certification Program"

I was extremely happy to learn that CISSP won the "Best Professional Certification Program" from SC Magazine.

The link is here :


I read the following with a bit of excitement:

"The CISSP is not only an objective measure of excellence, but a globally recognized standard of achievement. It requires at least five cumulative years of relevant work experience in two or more of the 10 domains of the CISSP CBK (common body of knowledge), or four years of work experience and a four-year bachelor's degree or a master's degree in information security. To maintain the certification, CISSP holders are required to obtain 120 continuing professional education (CPE) credits every three years, with a minimum of 20 CPEs posted during each year of the three-year certification cycle. This continuing education ensures that CISSP-certified pros are keeping up with the latest threats.

One major point that sets the CISSP apart from other security certifications is the breadth of knowledge and experience necessary to pass the exam. A CISSP candidate cannot specialize in just one domain. They must know and understand the full spectrum of the (ISC)2 CBK to become certified. In addition to the required five cumulative years of relevant work experience in two or more of the 10 domains, CISSPs must also legally adhere to the (ISC)2 Code of Ethics, be endorsed by a current (ISC)2 member, and undergo continuing education to keep the certification current. By meeting each of the above requirements, employers can rest assured that when they hire a professional who holds the CISSP credential, that person has been tested on understanding industry best practices and possesses a broad knowledge of the field and sound professional ethics and judgment."


Google and the China Great Firewall

After google.cn redirected to google.com.hk, some of my IT friends have discussions if running https:/www.google.com.hk can circumvent blocking by the China Great Firewall (GFW). The answers and scenarios are quite complicated. In the absence of HTTPS, sensitive keywords can not be passed to Google. When https is employed, some sensitive keywords (June 4 massacre, DaLai Lama, Tibet independence etc) submitted by Chinese netizens can be absorbed by Google and Google can presents a list of URLs and descriptions best match the search results. However, when Chinese netizens click on the URLs, the traffic fallback to HTTP again and the GFW can block by keywords, domains or IP addresses.

Those reading should have a clearer understanding by now. Without relying on encrypted means (SSL VPN, SSH + Proxy), there is no way to escape the GFW’s inspection.


Another IPv6 email test site

There is a website which allows people to send emails to account on IPv6 mail servers :


This site is accessible by IPv6 addresses only. The test tool is written in PHP. I am exploring if I can find codes to do the same.

It can help to verify if a newly established IPv6 email server can received emails. The outgoing direction is not tested. I am also thinking of a web-based IPv6 email autoreply facility which helps verify the email functionality in the two directions.


Google is leaving China. What's next ?

Google is leaving China. What's next. The website of baidu.com greets you with :

"Welcome to the new Internet world of China search. We are disciplined. We know what information is good for you. Enjoy."


Ookla speedtest software

I have installed and tested the trial version Ookla speedtest engine at URL:


The configuration is easy. Just tell the config file what URL is used and if the server is running apache, use "filename.asp" inside index.html. By same token, "filename.asp" or "filename.jsp" will be used for IIS and Tomcat web server respectively. No gimmicks or hassles at all.

I try to dig out the logics behind the speedtest engine, some of which can be found in Ookla documentation:

Latency Test

1. This test is performed by measuring the time it takes to get a response for an HTTP request sent to the web server.
2. It is done 10 times (configurable) with the average value determining the final result.

Download Test

1. A small binary file is downloaded from the web server to the client to estimate the connection speed.
2. Based on this result, one of several file sizes (jpg files with sizes of 1M, 2M, 8M, 12M and 32M) is selected to use for the real download test.
3. The download test is performed with cache prevention via a random string appended to each download.

Upload Test

1. A small amount of random data is generated in the client and sent to the web server to estimate the connection speed.
2. Based on the result, an appropriately sized set of randomly generated data is selected for upload.
3. The upload test is then performed by pushing via POST with the aid of a server-side script.

The trial licence will expire in one month.


FCC Broadband Test

The FCC has added broadband test in the official website www.broadband.gov.

I have done test on my home 6M-ADSL line from PCCW.

The test results are :

download speed = 3584 kbps
upload speed = 193 kbps
latency = 235 ms
jitter = 28 ms

The upload and download speeds are quite ok to me. Actually Google offers to FCC the line connectivity and Google has ample bandwidth in HK. The only problem is that with 235 ms latency, I might not have good quality VoIP, video-conferencing and online games with the US side.

By the way, I need to give a fake US address in order to conduct the test.


Improvements of motherboards

I do not follow up closely on new improvements of motherboards. Just find out quite recently latest desktop boards of Intel have removed com ports, parallel printer port, IDE and floppy connection. Removing these obsolete things has long been overdue. I am really happy to see new motherboards look smart and take care of user needs.


Benchmarking and stress test tools

I had funs with two benchmarking tools. They are "ab" which stands for Apache Benchmarking tool and siege. Both can be used to stress test a web server.

#ab -k -n 1000 -c 100 http://www.example.com/123.html

The above states that 100 threads are concurrently open and each makes 1000 requests. "-k" means to perform multiple requests within one HTTP session

#siege -b -r 1000 -c 100 http://www.example.com/123.html

This one operates similarly and siege is run in background mode.

Just a note to remind myself that when doing stress test on a web server, it is better to know the maximum concurrent threads the server is configured.


Mitigating the risks of unintentional IPv6 tunnels to IPv4 corporate networks

Some network administrators have started to look at mitigating the risks of unintentional IPv6 tunnels which introduce threats to corporate IPv4 networks. Basically, there are three type of threats :

a. Teredo tunnels by internal hosts;
b. GUI-based tunnel-broker clients like gogoclient; and
c. 6to4 tunnels which affect public servers in the DMZ.

For (a), we can ban UDP port 3544 in the outgoing direction since all Teredo servers must listen on that port within the IPv4 network path. For (b), Gogoclient and other similar programs must adhere to the specification of Tunnel Setup Protocol (TSP) and the port used is UDP 3653. Hence killing this port is feasible to disable all kinds of GUI TSP clients. As for 6to4 tunnels, some have suggested to ban Protocol 41 (IPv6 Protocol Number) entirely in a firewall. Banning entirely Protocol 41 is just like demolishing a big house because of a worm found inside the house. Just a little bit of pesticide to spray on the worm is ok. I think we can stop all servers or hosts to access the anycast address as a way to eliminate the establishment of 6to4 tunnels.

If anyone has better ideas of stopping unintentional IPv6 tunnels by means of a coporate firewall, please share your knowledge.


Akamai Network

I was asked to explain how the Akamai's Content Delivery Network (CDN) operate. Here is what I have jotted down :

"Akamai is the biggest CDN in the world which builds upon distributed computing platforms. As of today, the network is comprised of more than 60,000 high performance servers to store contents and applications and these servers are scattered over 70 countries. Customers in Hong Kong are Cathay Pacific and Apple Computer etc. Last year, when the HKSAR Government hosted the fifth East Asian Games, the Games website was also linked with Akamai to better serve Internet users in the Asian region.

By subscribing to the service of Akamai, Cathay Pacific can ensure that customers worldwide can access its web contents with improved speed and performance which can not be achieved by placing an array of servers in Hong Kong. In operation, the online contents and applications of Cathay Pacific’s web server will be replicated in real-time to Akamai’s servers. When users type in the domain www.cathaypacific.com, this URL is just an alias of a sub-domain name assigned to Cathay Pacific by Akamai (cdn.cathaypacific.com.edgekey.net) which then points to a number of IP addresses."

The above note should be quite easily understood by average Internet users as well as laymen.