流動電視

給自己一個選擇 ：既然家中的電視機只能播粗制濫造的TVB 節目，我已準備好用智能電話和平扳電腦收看其它台。

802.11ac DIY router

小米 802.11ac DIY 路由器，卓頭多於實際！

reformgovernmentsurveillance.com

This site has the worst web server configuration in the world.

reformgovernmentsurveillance.com


It listens on an IP address instead of a fully qualified domain name. Digital certificate and https can not be applied. Lack of "robots.txt", no 404 Error page and I believe there are many other apparent flaws.

Digital Certificates

I want to develop an e-certificate for my own use in the coming 50 years. No way, stuck in the Year2038 epoch issue. What shalI I do then? I am still alive after 2038 !!!

SMTP over TLS, do it or not

After careful deliberation, I propose to my department not to do SMTP over TLS. I am sure I make the right decision. The considerations are as follows:

1. There might be less than 1 % of mail servers globally supporting this function. 

2. There is no standard or recommended practices if self-signed certificates can be allowed in server or client sides. 

3. Equally, there is no standard or recommended practice whether servers should request  clients to present their certificates for authentication. 

4. In the lack of industry practice, network administrators just arbitrarily make their SMTP TLS settings or using the defaults provided by commercial off-the-shelf packages of  security gateways/appliances.   

5. A lot of mail servers which might have operated for many years have outdated CA list. 5. In case of mail delivery failure, it is nearly impossible to conduct trouble-shooting  nor request the other side to amend their settings. 

Opportunistic TLS encryption could only be achieved if there is supporting recommended industry practice

6to4 address connectivity problem

Port25.com is a renowned world leader on enterprise-grade email solutions. How can port25.com has this crazy setting in MX:

port25.com.        3600 IN MX    100   mail.port25.com.

mail.port25.com. 3600 IN AAAA          2002:453f:951e::1

This leads me to issue my last serious warning to all network administrators: 6to4 addresses should not be used to set up web and email servers, whether in test mode or production mode. They cause a lot of troubles. Please use 6in4 tunneling.

Generate CA cert and sign server cert

Many IT bloggers have written down the steps for making self-signed certificates.  I should jotted down my own notes on how to generate my own CA cert and use the CA cert to sign my own server cert.  The procedures, if I can recall correctly, should more or less be as follows:

**** Generate my own CA cert/key and sign my own server cert ****

#openssl genrsa -des3 -out myca.key 4096

[Generate a key for self-signed CA, require to generate a passphrase to protect the key]

#openssl req -new -x509 -days 3650 -key myca.key -out myca.crt

[Use the key to create a X.509 certificate with the name myca.crt]

#openssl genrsa -des3 -out v6-mail.com.key 2048

[Generate a key for my server]

#openssl req -new -key v6-mail.com.key -out v6-mail.com.csr

[Generate certificate signing request from the server key]

#openssl x509 -req -days 3650 -in v6-mail.com.csr -CA myca.crt -CAkey myca.key -set_serial 01 -out v6-mail.com.crt

[Sign the csr with my CA cert and CA key, set the serial number to 01 and generate a signed public key in crt format]

#openssl rsa -in v6-mail.com.key -out new.v6-mail.com.key

(remove passphrase of in a new server keyfile)

#openssl rsa -in myca.key -out new.my-ca.key

(remove passphrase in a new CA keyfile)

rm v6-mail.com.key,

mv new.v6-mail.com.key v6-mai.com.key

rm myca.key

mv new.my-ca.key myca.key

**** End of Processs *****

SMTP over TLS for Gmail

Great, just found out that Gmail performs SMTP over SSL/TLS without caring whether the server or client cert in the other side is signed by a CA. This ensures 100 % support for encryption. That’s says, we can use a self-signed certificate. A million thanks to Gmail.

HSBC email server settings

What the hell is that in my maillog, hsbc attempting to send as Hang Seng Bank? That's why I always say HSBC ignores security. 

Nov 21 01:31:18 i3way sendmail[2228]: STARTTLS=server, relay=psmtp9.hsbc.com.hk [203.112.90.17], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
Nov 21 01:31:19 i3way dkim-filter[5266]: rAKHVI5N002228 external host psmtp9.hsbc.com.hk attempted to send as hangseng.com

免費電視發牌顧問報告

早前立法局欲引用權力及特權法，取得四份顧問報告內容。現在不用了，顧問報告的主要內容已暴光，行會黑箱作業，689自把自為已是無可抵賴的事實，七百萬人現在都知整件事完全沒有公義，你條 689 民望還有排跌呀。

空降政務官做署長

絕不能空降政務官做署長，一旦空降，專業工程師的晉升機會被閹割，共有五個職級同事無得升，包括副署長、助理署長、總工程師、高級工程師及工程師，連帶畢業生都少個機會入職做政府工程師 !

http://news.mingpao.com/20131101/gaa1h.htm

屋宇署長有權處理及清拆危險建築物，這涉及保障市民生命財產，此等任務必須由受過訓練的專業工程師才可勝任。

Scooter

For over 10 years, whenever I feel not happy, I listen to the songs of Scooter and then things in my mind change. “Faster, harder, scooter”, “move your ass”, “Apache rocks the bottom”, so many to follow.  Thanks for the fantastic music, Scooter.  You guys are awesome. 

Citizen ? 西鉄城 ?

頂，有無攪錯呀! Citizen 牌子手錶幾拾年在香港都名為「星晨錶」，現在有些店舖為做強國人生意，竟然用內地名字「西鉄城」，太恐佈的名稱。

行會 ? 源頭減廢 !

「葉劉」果然功力深厚，夠狡猾，可參選下任特首。

「源頭減廢」適宜在行會實施。

Over 25% of Verizon Wireless Traffic Is Now Over IPv6

http://www.internetsociety.org/deploy360/blog/2013/04/over-25-of-verizon-wireless-traffic-is-now-over-ipv6/

Needless for me to mention that IPv6 is part of LTE.  It is a shame that LTE operators in HK do not offer IPv6 to end users.

Giving up data roaming services

CSL has increased the daily charge of data roaming from HK$168 to HK$198, an increase of 18 %.  I can not afford such a high daily charge.  For my next trip, I will rent a pocket wifi device which is charged at HK$88 per day, available at Telecom Square:

http://www.telecomsquare.hk/

2.4 GHz WiFi channels

My experience tells me that among the three non-overlapping channels in the 2.4GHz WiFi band, channel 6 is always more congested than channel 1 and 11. I don’t know why ?

貪錢的港人

這是極可恥的行為。本地出生的學童，被你們這群貪錢的港人，搶奪了原區入學的機會。

翻牆 ? 進牆 ?

一位貪婪的親友要求我教他們一家人使用 VPN ，以便到大陸網站玩遊戲和下載軟件。雖然我教曉了他們使用 VPN，作為資訊保安業成員，這是一件很痛苦的事，因為香港境內將會多幾台彊屍電腦，惟有千丁萬囑他們加裝防毒軟件。唉，身不由己。

現在很多國內網民希望可以翻牆，沒想到居然還有香港人想進牆。

Alnwick Castle

My 11th day in UK. Visited Alnwick Castle in Northumerland today. This was Hogwarts in Harry Potter series movies.

CGN

Carrier Grade NAT (CGN) - an evil and ugly technology that kills network applications and innovations. No one is happy with it.

cheap SSL certificates

Just ordered and received one SSL certificate from Cheapl SSLs at US$8.9 for 1-year use, no other charges.

www.cheapssls.com

Even though it is affordable, I still think that the PKI structure which puts Certificate Authorities in a supreme position is a flaw.  There is no need to have Certificate Authorities in the digital online world. 

SMTP over TLS

SMTP over TLS is straight forward. Just make sure the MTA can support TLS  security then set the MTA config file where to find the CA cert, server cert/key, client cert/key.  That's all.

beginner guide to SSL

What a disgrace ! An IT magazine invited me to get a free copy of beginner guide to SSL.

Selector of Facebook's DKIM Key

Interesting, when I looked at the header of an email from Facebook, I found the DKIM Sigature as follows:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com; 
    s=s1024-2011-q2; t=1378874220; 
    bh=RZqavvVaT/9/C1fdtvELn/vrEJC9Q5C/X8tnCwdRrhs=; 
    h=Date:To:From:Subject:MIME-Version:Content-Type; 
    b=FXKVjd7kn/lF5PnDTngllmI72AJ+iuHIFLmoFhUJMGsN1NBbcLkSNctqB12hYBBUN 
     eJknvOHvvqRNEliiZATpKHORQoaR8EGGZNTdCVkbsMZj9xTW+pPH4HZgfH4yk3IzQz 
     O4gK1bnIXD7k5aI+ndToMPeoj676W6PO6Hr4hpnY= 

The selector is named as s-1024-2011-q2.   Well, I can understand 1024 bits is used and the key has been in service since Q2 of 2011.   Facebook has not changed the key pair for over three years.  It is a bad and unacceptable security practice !

SPF endless lookup

I found the following SPF errors in my maillog:

Sep  7 14:59:57 i3way sendmail[28894]: r876xsvM028894: Milter add: header: Received-SPF: unknown (i3way.net: error in processing during lookup of domain of 8.h.dvosh.info: Mechanisms used too many DNS lookups) receiver=i3way.net; client-ip=173.254.227.52; helo=8.h.dvosh.info; envelope-from=gvr@8.h.dvosh.info; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/;

On checking the TXT record of the domain, it includes itself for further looking up.  This will result in an endless loop.  Here is what I found that caused the many lookups:

[warren@dnssec ~]# dig txt 8.h.dvosh.info | grep spf

8.h.dvosh.info. 3555 IN  TXT "v=spf1 include:8.h.dvosh.info ~all"

DKIM replaced by Opendkim

In my last post about DKIM, the package I used is dkim-milter.  This is now replaced by opendkim.  For opendkim, the socket to use must be defined in “/etc/opendkim/opendkim.conf” and “/etc/mail/sendmail.mc”.

I found two great features in opendkim, namely SigningTable and TrustHosts.  SigningTable defines which users could use the private to sign outgoing email.  I think it should be * which means everyone.  As for TrustHosts, as the name implies, it tells what domains and IP addresses can utilize which key to sign email messages if the SMTP server is serving multiple domains.  For interest sake, I dump a few config lines of the associated files.

/etc/mail/opendkim/singingtable

#*@abc.com default._domainkey.example.com

*@abc.com default._domainkey.abc.com

admin@vm-host.net default._domainkey.vm-host.net

/etc/mail/opendkim/trusthosts

# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts

# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts

# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).

# The localhost IP (127.0.0.1) should be the first entry in this file.

127.0.0.1

mail.abc.com

vm-host.net

202.81.251.17

SPF and DKIM for anti-spam

Oh my God, this is the first time I successfully make Sendmail works on DKIM for outgoing and SPF verification for incoming emails. Hey, HSBC and Citibank do not use DKIM for anti-phishing even they send email notices to customers. In short, I am doing better than the two banks.

For DKIM. the processes as I can recall are:

1.      Generate key pair under the designated path /etc/mail/dkim-milter/keys, specifying a 

         selector (e.g. sept2013, my-dkim etc)
2.      Extract the public key for publishing as DNS txt records
3.      Edit keylists to tell which public keys be included and for what domain
4.      Edit sendmail.mc to add:
         INPUT_MAIL_FILTER(`dkim-filter', `S=local:/var/run/dkim-milter/dkim-milter.sock')
5.      Recompile sendmail.mc to sendmail.cf by m4
6.      Start up dkim-milter
7.      Restart sendmail

The benefits are two fold.  My emails can be verified by other DKIM-enabled SMTP servers for source authentication and the signature can guarantee no tamper is made in the end-to-end delivery process. On my server, the same can be done.

The public key can be found by:

#dig -t txt sept2013._domainkey.i3way,net
;; ANSWER SECTION:
sept2013._domainkey.i3way.net. 3600 IN  TXT     "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDq8KAvkv66AOeWd3UnpR74kDcIS4dkL8xR8wzzHUTvrrJR9l3B+X5wTZkHctfhjKHBmZg+W7MZW1b5O4SHI/n3FbqJ+6MK5jxHyx02Q6HSTtaYXjzalE3K0zgy4DRN7n/iYvRgS99OJw6LrKDcnzfRuO554G68aRgd32yflw+DQIDAQAB"

Forget to mention that the RSA key pair has no expiry.  I can use for signing emails forever.

電源插頭提供USB充電接口

正產發展商應在牆身電源插頭提供USB充電接口，這不是奢侈要求，是生活必需。

鋰電壽命

高性能鋰電只有較短的壽命，懷疑嗎？請看這件產品的包裝盒，三星原廠電只能保證 500 次充電次數，如每天充一次電，即只有不到壹年半的壽命。如果你的 iPhone 或 Samsung 用了兩年後，發現電池效能下降，電池發熱甚至澎脹，這已是警號，夠期了，換電吧！

維園泳池將被拆

維園泳池將被拆，陪伴我們這批60後成長的現只剩九龍仔公園游泳池。那裏有很多特式，如水深12呎、拱型小橋及一個可晒太陽的巨型平台。最難忘是飛機在頭上幾百尺飛過，那種震耳欲聾的聲音，要掩耳才頂得箸。今後要多珍惜，每年要抽點時間去重温昔日的喜悅。

長實可恥

長實可恥，為左引誘無三成首期的買家入市購昇拍山，竟然與財務公司聯手，造九成按揭，這班準買家不出半年可成為負資產。地產商只顧散貨，盡快制做業績，引誘市民買樓，不理他人死活，仆街等天收。

見證

我將今期 iMoney 封面標題內容放到自己的博客網頁內，兩年後所發生的事就以此作見證。

誰勝誰負，各安天命。到時負資產要自盡，請用跳崖，不要跳摟，跳樓會壓死路人或傷及無辜。

Home WiFi Roaming Network

Ooops, it took me more than 15 minutes to set up a home roaming WiFi network.

The key points are :  AP2 should have DHCP off, same SSID, different channel, while the GW of AP2 LAN should be pointing to the same GW of AP1.

老餅電腦技術

今早在地鐵車廂內，聽到幾位年青人談論 Unix command structure, C++ language syntax 等，我一向意為這些30年的老餅電腦技術，年青人不會有興趣，原來我估錯了。好想提醒年青小伙子，一定要學識 sed 和 awk，功能歎為觀止，終身受用呵。

iPhone 5C

What does the “C” in iPhone 5C mean ? It could mean cheap, complete, compact, colors, customizable or cool. To me, I think it means crap.

IPv6 WiFi in Office

My IT colleagues in OFCA are fantastic and forward-looking. They provide IPv6 connection in all WiFi APs in our office premises.

We have a /48 block which can support 65536 /64 prefixes.  Assuming 20 APs are used, we still have 65516 /64 prefixes remaining for future use.

牙膏一定要用到盡

現在百物騰貴，每支牙膏一定要用到盡，切勿浪費。

Symbolic link to access Dropbox

Just created a symbolic link in Dropbox folder of MAC Book Air. The result is that I can sync and backup other important directories to Dropbox cloud storage without duplicating the directories/files/documents in the default Dropbox folder. Save a lot of hard disk space and admin tasks. Extremely useful !

陽光 ?

四月至七月，有超過六成半時間是下雨，公園裏給小朋友遊玩的設施都出現發霉和發黑。唉，請給我們多點陽光好嗎?

Teredo tunneling

Please be fair to Microsoft. Teredo is a gift from Microsoft albeit there is no guarantee on the quality of service. The technology behind is highly complicated.

6to4 in WAN connection

This is a difficult question. My IPv6 router supports 6to4 in WAN connection and therefore I can have IPv6 addresses assigned by SLAAC + Stateless DHCP in the LAN side.  Will PCs in the LAN side associated with the router give IPv6 higher priority than IPv4 when accessing dual-stack websites.  My past experience is that for end-point 6to4 address assigned automatically in Windows 7 PCs, the IPv6 connection has a lower priority.  I will find out the answer as soon as possible. 

Why IPv6 only devices fail to access IPv4 applications through DNS64 + NAT64

Oh, I forgot to write why IPv6 only devices fail to access IPv4 applications even the IPv6 service provider has provided DNS64 + NAT 64.  It is because some applications hard code IPv4 addresses instead of domain names.  The remedy by 464XLAT is to have an extra module in devices which converts outgoing IPv4 address to a pseudo IPv6 address (46 translation) and at the service provider change the IPv6 to IPv4 address (64 translation).  Combining the 46 translation and 64 translation together, the name 464XLAT is therefore derived.

It should be noted that there is no need to assign any NAT IPv4 address to a device when using 464XLAT.

As all applications must pass through this module, it could only be implemented at the OS level.  I know Android CLAT is designed with this in mind.

DNS64 + NAT64 + 464XLAT

“DNS64 + NAT64 + 464XLAT” is really genius. All problems of connecting IPv6 only devices to IPv4 applications resolved.  Only an extra CLAT module is needed in smartphones or gateway routers. CLAT handles the translation of ipv4 to ipv6 for applications that do not support dns64. CLAT is needed when transitioning to IPv6 on GSM networks using NAT64 as the IPv4 access method. 

Upgrade IPv4 network to IPv6 network ?

This is written by Huawei in a technical white paper:

“During the upgrade from an IPv4 broadband access network to an IPv6 broadband access network, the addresses of users are upgraded from IPv4 addresses to IPv6 addresses.”

IPv4 and IPv6 networks are incompatible, there can not be any upgrade. Moreover, it gives readers the impression that IPv4 addresses can be upgraded to IPv6 addresses by extending the address space. I want to say “FUCK” to Huawei !

Config IPv6 LAN side

The best configuration I choose for IPv6 LAN side with a routed /64 prefix is SLAAC + DHCPv6 Stateless. I can not use SLAAC + RDNSS as Windows 7 still can not support it. I don’t like DHCPv6 Stateful, no reason for that, just a personal dislike.

I love SLAAC + RDNSS most but can not use it.  

2013 7-1 遊行

今日遊行人士全都表現高質素，他們中午二時起在維園等出發，其間遇上傾盤大雨，便穿上雨衣，拿着雨傘耐心等候個多小時。當轉入怡和街時，警察未能及時開路，又要罰企一小時，天上仍是橫風橫雨掃個不停，此際遊行人士依然十分克制，只大聲要求盡快開路，沒有粗言穢語，炒蝦拆蟹。還有是他們樂意將傳單及膠樽交到大會預設的廢物會收站，不隨地丟棄。民建聯、工聯會，你們的的蛇齋餅糉支持者，永世都無這種質素。

Secure automatic remote backup

Secure automatic remote backup is easy. Just consider “crond + script + rsync + ssh + ssh key”. I am sure you will be addicted.

Noise Floor

Some engineers in the mobile industry have no basic knowledge of noise floor. I repeat below:

Noise Power N = kTb

k = Boltzman Constant
T = Absolute Temperature (Kelvin)
b = Channel Bandwidth

For LTE system occupying 10 MHz bandwidth, the noise floor is - 104 dBm. 

My tests on IRC blocking in 6in4 tunnel

I was helping to test goIPv6 tunnel (6in4 tunnel) which will be officially launched on 11 July 2013.  There are two security precautions imposed by the tunnel provider, namely blocking of SMTP and IRC connections.  This is quite understandable as malware infected PCs can send out spam and communicate with botnet command control centre through IRC port 6667 to launch malicious attacks.  Wait, I did not have IRC daemon.  How could I test it. I recalled that I could make use of netcat (nc) as follows:

Server side (listening mode ) : #nc -6 2401:300:0:1::8080 -l 6667

Win 7 Client side (transmit mode): c:\nc6 2401:300:0:1::8080 6667 –n –v

In the client side, nc6 for Windows 7 should be used which supports IPv6.  If connection could be put through, key inputs from the client side will be echoed in the server side.

Hopefully, the blocking test was conducted successfully. 

DNSv6

Trust me, there is no such new technology or protocol named as DNSv6. All authoritative DNS servers, whether riding on IPv4 or IPv6 backbone, can support AAAA record and ip6.arpa for reverse lookup !

樂蜀浮雕

慘極！具3500 年的樂蜀浮雕，已被「丁錦昊到此一遊」7個中文字摧毁了歴史文物價值，除了強國人外，外國遊客絕不會做出這種野蠻行為。

http://news.now.com/home/international/player?newsId=68895

No privacy protection if you are using Gmail account

Gmail scans content of my incoming emails. I can not do anything to stop such privacy intrusion.

----- Transcript of session follows ----- 
... while talking to gmail-smtp-in.l.google.com.: 
>>> DATA 
<<< 550-5.7.1 [2401:300:0:1::8080 7] Our system has detected that this message
<<< 550-5.7.1 is likely unsolicited mail. To reduce the amount of spam sent to
<<< 550-5.7.1 Gmail, this message has been blocked. Please visit
<<< 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for
<<< 550 5.7.1 more information. ps11si2916950pab.141 - gsmtp
554 5.0.0 Service unavailable

Always leave office on time

ALWAYS LEAVE OFFICE ON TIME

1.            Work is never ending process. It can never be completed.

2.            Interest of a client is important, so is your family.

3.            If you fall in life, neither your boss or client will offer you a helping hand; your friends and family will.

4.            Life is not only about work, office and client.  There is more to life. You need to socialize, entertain, relax and exercise. Don't let life be meaningless.

5.            A person who stays late the office is not a hard-working person.  Instead he/she may be a fool who does not know how to manage work within the stipulated time.  He/She is a loser who does not have a personal or social life.  He/She is inefficient and incompetent in his/her worrk.

6.            You did not study hard and struggle to become a machine.

7.            If your boss forces you to work late, he/she may be ineffective and have a meaninngless life too; so forward this to him or her.

Leaving office on time = efficient, good social life, quality family life.

Leaving office late = inefficient and incompetent, no social life, less family time. 

Gmail is now fully dual-stack

Gmail has finally enabled IPv6 channel in the outgoing path, not just the incoming path alone. That’s say, Gmail is now fully dual-stack. I have been waiting for this moment since World IPv6 Launch (6 June 2012). Thanks to Google.

Blog CAPTCHA

I have recently received a lot of blog spam, most of which deal with medicine.  Presumably, the messages are generated by some automatic scripts and these spam messages disturb a lot of bloggers.  This leaves me no choice but to activate CAPTCHA verification.  I hate deleting spam messages manually one by one and I hope that with the use of CAPTCHA,  the number of blog spam can be reduced to a minimum.

ssh client on a tablet

So finally I have SSH terminal on a tablet.  I can do some less keyboard-intensive tasks such as checking logs and minor config changes.  It is Juice SSH client.  No need to root the tablet.

Change of IP address in Root Server D

Root Server D has changed its IP address on 3 Jan 2013. I have done my job to align with the change.  The file to change is "/var/named/chroot/var/named/named.ca".

The old IP address will retire in the next 6 months. Just wonder how many ISPs and network administrators have done their work diligently?

http://d.root-servers.org/

Google map offline

When I was in Dubai 2 months ago, I relied on Google Map to guide me from various Metro-stations and main streets to shopping malls and hotels.  This was done in online mode and sometimes the responses were slow if the connected 3G network was congested, not to mention the data usage charges.

I just discovered that Google Map offers offline cache though the  area is restricted to 10 miles x 10 miles for each cache map.  That would save me a lot of time and cost next time if I travel in another city.  Without delay, I have downloaded cached maps of Shenzhen, Macau, Zhuhai and Beijing.  It would be better to view  the offline maps in a 7-inch Android tablet than a small smartphone .  Google is very thoughtful.  Thanks.

Google public DNS can support DNSSEC

Google has completed a marvelous job. Its four public resolvers at "8.8.8.8", "8.8.4.4", "2001:4860:4860::8888" and "2001:4860:4860::8844" can now support DNSSEC and perform signature validation.

[warren@dnssec ~]# dig +dnssec ds icann.org @2001:4860:4860::8844 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
[warren@dnssec ~]# dig +dnssec ds icann.org @2001:4860:4860::8888 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
[warren@dnssec ~]# dig +dnssec ds icann.org @8.8.8.8 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
[warren@dnssec ~]# dig +dnssec ds icann.org @8.8.4.4 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

My double thumb up to Google.

Full house of network devices

This is the picture of my home full house of network devices. They are : two 802.11n routers, four 802.11n client devices, a pair of Powerline Ethernet adpators, two 3G USB dongles and other. I am a TP-LINK super fan.  

Dibbler for Windows XP

For those who are using Windows XP, they know that there is not yet a DHCPv6 client even IPv6 stack is manually installed.  The good news is Dibbler DHCPv6 portable client is available free of charge at http://klub.com.pl/dhcpv6/dibbler/.  I don't have the chance to experience this add-on DHCPv6 client as all my desktop and notebook PCs are running Windows 7.  Have fun.

China generated 32 % of global network attack traffic

China generated 32 % of global network attack traffic, according to Akamai's State of the Internet 3Q 2012 Report.  It is really a champion and a shame.

The second worst country is US, responsible for 13 % of the total.  Some nice pictures of the situation can be seen from:

http://www.akamai.com/dl/akamai/q3_2012_soti_infographic.pdf

Fake HKCERT email

By now, it has been widely reported in the media that there was a fake HKCERT email advising recipients to patch the recent Adobe Flash vulnerability and a fake patch was attached.  I tried to look at what HKCERT has been taking in order to protect its email domain.  Unfortunately, HKCERT does not use Sender Policy Framework to specify what IP addresses and domains can use "hkcert.org" as the sender domain in the email header.    HKCERT has learnt a lesson in hard way.

Gmail over IPv6

An overseas network administrator contacted me to discuss the problem when conducting IPv6 email tests with Gmail.  Understandably, some administrators think that Google Gmail can help to test IPv6 email setup.   The fact is Gmail receives incoming emails from dual-stack mail servers based on the rule that v6 channel has priority over v4, but in sending out emails to dual-stack mail server, Gmail always selects the v4 path.  I also doubt if Gmail can send out to IPv6 only mail servers. In the past, my IT colleagues thought our dual-stack mail server was wrongly configured after testing with Gmail and  spent many hours of trouble-shooting with no clue of what happened.  In the end, it was Gmail that used its own means of v4/v6 path selection without adhering to the dual-stack rule.  I think this fact is now well-known to the IPv6 technical community.