If you find 802.11ac wireless routers which equip with 100 Mbps ports either in the LAN or WAN side, don't buy. This is a rubbish design.
2014/12/17
2014/12/15
Use an app instead of a calculator
When working on radio propagation distances, I need to convert between miles and kilometers. What comes to my mind is not a calculator. It is about downloading an app. Shit, what a useless person I am on this planet.
2014/12/11
IPv6 privacy extension
Law enforcement agencies say they can track IPv6 devices or computers. They are wrong absolutely. PCs and smartphones have built-in "privacy extension" to prevent the last 64 bits being tracked.
2014/12/08
Gparted live CD
I needed to change the file system of a hard disk from ext3 to NTFS
for use by Windows. Intuitively, I thought in a Linux envionment, it would involve the steps of fdisk
/dev/sda1, delete partitions, create new primary partition, write on partition
table, mkfs ntfs /dev/sda1. All the command line steps
are not necessary. Just use Gparted live CD, (Gnome Partition Editor) after boot
up, two clicks in the GUI can accomplish the tasks. There are other good
functions such as resizing partitions and copy partition for the sake of
image-backup. A geat discovery. Nice to share in this personal blog.
2014/11/17
802.11u, Passpoint and Hotspot 2.0
上星期有幸會見 WiFi Alliance CEO Mr Edgar Figuerora, 終於搞清楚 802.11u, Passpoint 同 Hotspot 2.0 三套技術的相関配合。802.11u 是將無線連線介面轉接至不同網絡,如 3G / 4G 跳至 WiFi , 可達至流動數據卸載 ( cellular offloading)。而Passpoint 則是替支援 802.11u 的器材進行互相兼容的驗證計劃。至於 Hotspot 2.0, 則是一套龐大的基礎設施規格,涉及認證,保密,計費,漫遊協議等。以小弟意見,在可見將來,各網絡商都會投資在 Hotspot 2.0 基建,固網商可提供高效能的 WiFi平台,進軍流動服務,亦可將 Hotspot 2.0 基建租予給流動網絡商。當然,那些同時經營固網及流動網的服務商更加會掌握 Hotspot 2.0,以援衝頻譜需求。WiFi 面世經已超過15年,到了今天,還不停地改良和增加功能,這要多謝 IEEE 的網絡專家多年來所付出的努力。
2014/11/09
HKTV 開台壓力測試
已準備好今晚10點至11點 HKTV 開台壓力測試,我所有用得嘅資源,包括手提電腦,小米盒子,平板,手机,3G, 4G, 1000Mbps 寬頻,802.11n/ac 路由器傾巢盡出。王維基,我幫到你盡了。
2014/11/06
protecting .hk ccTLD systems
Yesterday, when doing a half-yearly clean up of my authoritative name servers, I found the measures of protecting ".hk" ccTLD systems from DDoS attacks as a result of malicious querying "popvote.hk" still in place. I purposely attached a screen dump for easy recall of my memory.
The solution was to tell clients that popvote.hk was hosted here and there was no need to go through “.hk”. HKCERT and HKISPA jointly appealed to all ISPs to do this in order to protect all kinds of service using .hk domains. Up to now, I am still not sure how many of them agreed to implement the interim measures.
On this related matter, attacks of popvote.hk brought some good development to the local ISP industry. Some ISPs have used resolvers and authoritative name servers in the same machines. During the attack period, larger volume of queries flooded their resolvers which made the authoritative name severs not workable. How could they explain to their customers the situation. If I were one of the customers, I would definitely ask popvote.hk was none of my business, why attacks on "popvote.hk" made all my name records vanished. In the light of increasing DNS attacks, ISPs in Hong Kong should have realised that they could not bundle a resolver and an authoritative name server in the same machine.
The solution was to tell clients that popvote.hk was hosted here and there was no need to go through “.hk”. HKCERT and HKISPA jointly appealed to all ISPs to do this in order to protect all kinds of service using .hk domains. Up to now, I am still not sure how many of them agreed to implement the interim measures.
On this related matter, attacks of popvote.hk brought some good development to the local ISP industry. Some ISPs have used resolvers and authoritative name servers in the same machines. During the attack period, larger volume of queries flooded their resolvers which made the authoritative name severs not workable. How could they explain to their customers the situation. If I were one of the customers, I would definitely ask popvote.hk was none of my business, why attacks on "popvote.hk" made all my name records vanished. In the light of increasing DNS attacks, ISPs in Hong Kong should have realised that they could not bundle a resolver and an authoritative name server in the same machine.
2014/11/05
Opendkim
I had used dkim-milter for over a year. This milter was pretty good but due to its phasing out, I had to switch to opendkim. To do the configuration was pretty easy as I had gained some experience in dkim-milter. Up to now, I still have no idea the percentage of my dkim-signed outgoing emails being permitted as reputable sender and not treated as suspicious spam. The fact is do it. If Facebook, Gmail, Yahoo all do it, why hesitate not to follow suit.
2014/11/02
rsync + ssh and scp
Something I could have misunderstood for a long time. I always think scp is powerful for retrieving files by a local host from a remote server but all the files obtained will have permissions and access rights set to the one who invoke the scp command.
#scp -P 1234 -R user@xyz.com:/remote/path/ /local/path/
This is not desirable for restoration purpose as the original attributes have been lost. I turn to use rsync like the one below:
#rsync -chavzP --stats --rsh='ssh -p1234' user@xyz.com:/remote/path/ /local/path/
As I have always said, rsync is one of the most powerful backup tools ever existed in the world. The more you learn, the more you love it.
#scp -P 1234 -R user@xyz.com:/remote/path/ /local/path/
This is not desirable for restoration purpose as the original attributes have been lost. I turn to use rsync like the one below:
#rsync -chavzP --stats --rsh='ssh -p1234' user@xyz.com:/remote/path/ /local/path/
As I have always said, rsync is one of the most powerful backup tools ever existed in the world. The more you learn, the more you love it.
2014/09/08
sine wave with MS powerpoint
Don't laugh. I am not able to draw a sine wave with MS powerpoint. I don't want to use excel for importing such a graph from math equation.
2014/09/06
802.11u or Passpoint
This so called 3G-WiFi auto-connect is by means of an app. It is not 802.11u, not Passpoint, not Hotspot 2.0. Still need to wait for smartphones in the mass market to support Passpoint.
2014/09/01
WiFi 路由器速度跌咗八成
屋企隻 TP-LINK 802.11n 屋企隻 TP-LINK 802.11n 路由器速度在拾呎距離跌咗八成,所有 config 都檢查清楚正常,正想買新機之際,突然想起未 check 天線。唉,三兜天線同軸接口,有兩兜完全無扭實。唉,太疏忽了,我應否重新再考工程師牌!,所有 config 都檢查清楚正常,正想買新機之際,突然想起未 check 天線。唉,三兜天線同軸接口,有兩兜完全無扭實。唉,太疏忽了,我應否重新再考工程師牌!
2014/08/31
broadband access technologies
I spent more than one hour to draw this diagram outlining broadband access technologies for reaching customer premises. If you find it useful, just grab it.
2014/08/25
my advice to speakers
My advice to speakers : Don't use 3-D graphs or charts to describe data. 2-D charts are good enough. 3-D charts are visually distracting and add only junks but no value to your presentation.
2014/08/21
2014/08/20
2014/08/04
leap second
This picture contains thousands words. If you understand it, you have definitely suffered from it before. Even there were a lot of crashes, I still think that time belongs to the Earth. It does not belong to GPS or atomic clock systems.
2014/07/30
2014/07/24
poor 802.11ac router design
2014/07/07
450 Mbps LTE download speed
If a mobile carrier has 20 MHz bandwidth in each of the 1.8 GHz, 2.1 GHz and 2.5 GHz bands, it can offer 450 Mbps download speed by Carrier Aggregation across different bands in LTE-A network. Any such resourceful carriers in the world?
2014/07/05
2014/07/01
2014/06/28
Chrome flash plugin
Google makes Chrome a piece of shit by embedding its own flash plugin into the browser which crashes with Adobe plugin. Chrome does not know which one to use ! I need to manually disable the embedded one.
2014/05/03
2014/05/01
RFC 1918 address leaked out
What the hell is that?
[localhost~]# dig a +short mail.hkbn.com.hk
192.168.99.100
RFC1918 address leaked out ? Misconfiguration ? Or an authoritative name server serving both Intranet and Internet ?
2014/04/25
.xxx generic top level domains
Whether you like it or not,
".xxx" triple x top level domain has been in services for over 2
years. Of course, it is for pornographic websites only. I like the idea because
only a simple filtering mechanism can be used to ban children from accessing
adult websites.
2014/04/22
DNS reply larger than 4096 bytes
I
thought I would never be able to generate a DNS query with reply size larger
than 4096 bytes. I was wrong ! Just look at this.
[warren@dnssec ~]# dig any doc.gov | grep SIZE
;; MSG SIZE rcvd: 9735
Of course, the reply has to fallback to TCP instead of UDP. Thanks to US Department of Commerce for letting me to play around with this.
Hackers, don't use this for amplification attacks. You will fail.
[warren@dnssec ~]# dig any doc.gov | grep SIZE
;; MSG SIZE rcvd: 9735
Of course, the reply has to fallback to TCP instead of UDP. Thanks to US Department of Commerce for letting me to play around with this.
Hackers, don't use this for amplification attacks. You will fail.
2014/04/17
Q1 2014 DDoS Attack Report
Thanks to Prolexic (part of Akamai) for sending me this Q1 2014 DDoS Attack Report. I love this more than Akamai's State of the Internet Quarterly Report.
Fuck you, China and USA for generating 40 % of world's attack traffic.
Fuck you, China and USA for generating 40 % of world's attack traffic.
2014/04/13
Historical heartbleed vulnerability
I need to make myself more competent on
Openssl and TLS after the discovery of this historical Heartbleed Bug. I hate
to learn and practise again but there is no shortcut.
2014/04/10
heartbleed bug
Announcement : If network administrators have difficulty to check whether their SSL private keys are affected by the heartbleed vulnerability, they can send me an email attaching the keys and let me know the websites. I will check for them, free of charge, of course.
2014/03/30
2014/03/22
home routers as open resolvers
A friendly note to home users with broadband routers : Quite a large number of home routers in use for years have open resolver fault. Please go to
http://www.thinkbroadband.com/tools/dnscheck.html
check your router status and upgrade the firmware to plug the hole.
By having your router as an open resolver, you are helping cybercriminals to launch DDoS attacks.
This is evidence of ASUS RT-N66U routers able to do DNS amplification attacks.
http://www.thinkbroadband.com/tools/dnscheck.html
check your router status and upgrade the firmware to plug the hole.
By having your router as an open resolver, you are helping cybercriminals to launch DDoS attacks.
This is evidence of ASUS RT-N66U routers able to do DNS amplification attacks.
2014/03/18
Open resolvers again
I repeat my statement again: Don’t compare
open resolvers with Google Public DNS (8.8.8.8 and 8.8.4.4) and OpenDNS, they
are not the same. Google and OpenDNS
have all sorts of security features that are beyond imaginations.
2014/03/16
No more Amplification Attack
For God's sake, please disable "monitor" if you operate publicly accessible NTP servers.
By the way, if monitor can be removed from the latest patches of NTP daemon, I see hope of disallowing "ANY" query in resolvers in coming patches. All name query should be specific. If you want to do mail exchange, ask for MX followed by A record. If you want to know the authoritative name server of a domain name, ask for NS. These days, "ANY" would not serve any purpose except network attacks.
By the way, if monitor can be removed from the latest patches of NTP daemon, I see hope of disallowing "ANY" query in resolvers in coming patches. All name query should be specific. If you want to do mail exchange, ask for MX followed by A record. If you want to know the authoritative name server of a domain name, ask for NS. These days, "ANY" would not serve any purpose except network attacks.
2014/03/10
ping 0.0.0.0
Another
interesting stuff. An IT guy try to ping 0.0.0.0 in an attempt to troubleshoot
connectivity problem. He should be fired immediately.
2014/03/08
MAC address intrusion
A complainant said his home PC was accessing by other people over the Internet through MAC address intrusion. The complainant sought help from his serving ISP. What should the ISP do? Just laugh and do nothing.
2014/03/06
Boosting WiFi signal strength by a Coke can
In today's Apple Daily News, there was a story about boosting WiFi receiving signal strength by means of placing a Coke can close to an antenna. A picture is given below.
The distance between the aluminium foil and the whip antenna should be carefully calculated in order to maximize the directivity which as a norm is λ/2. For this TP-LINK 2.4 GHz router, the distance is (3x10^8/(2.4x10^9x2) = 0.0625 meter or 2.5 inches.
The distance between the aluminium foil and the whip antenna should be carefully calculated in order to maximize the directivity which as a norm is λ/2. For this TP-LINK 2.4 GHz router, the distance is (3x10^8/(2.4x10^9x2) = 0.0625 meter or 2.5 inches.
2014/03/03
IPv4 turn-off day in 2014
In order to show the technical maturity of IPv6, some intelligent people have suggested to set aside one day in 2014 as the IPv4 turn-off day. I just want to ask if this idea really makes sense. If turning off IPv4 results in a large number of users have difficulty in accessing major websites, people will have a very bad idea about the quality of IPv6. I certainly agree there needs to be an IPv4 turn-off day to test where we are during the transition process and whether there will be broken applications if relying on IPv6 alone. The timing is not this year. It might be in the next 10 years. For the time being, just enable dual-stack and stay with dual-stack as much as possible.
2014/02/24
紅米的笑話
紅米的笑話:
原定於今日下午12 點進行網上搶購,但由於有幾萬用戶同時登入,引致伺服器故障,工程師花了一段時間搶修,於中午 12 點 30 分才恢復搶購活動。搶修其間,這幾萬用戶放下手頭上的工作,靜待從新登入,各行各業的生產力損失慘重。
紅米害人,一次就夠。
原定於今日下午12 點進行網上搶購,但由於有幾萬用戶同時登入,引致伺服器故障,工程師花了一段時間搶修,於中午 12 點 30 分才恢復搶購活動。搶修其間,這幾萬用戶放下手頭上的工作,靜待從新登入,各行各業的生產力損失慘重。
紅米害人,一次就夠。
2014/02/20
US leads the world in IPv6 deployment
US leads the world again in IPv6 deployment : Verizon - 45 %, Comcast - 28 %, Time Cable Warner - 5.3 %. Finally, the winner is Google Fibre achieving 76 %. These network operators are fantastic !
http://www.internetsociety.org/deploy360/blog/2014/02/new-ipv6-measurements-comcast-nearing-25-verizon-wireless-46-dt-at-18/
http://www.internetsociety.org/deploy360/blog/2014/02/new-ipv6-measurements-comcast-nearing-25-verizon-wireless-46-dt-at-18/
2014/02/04
IPv6 adoption reaches 10 % in 2014
Leslie Daigle mentioned in her blog that IPv6 traffic will be boosted to over 10 % by year end. True. This is what I believe from my continuous observation from Google measurement.
http://www.google.com/intl/en/ipv6/statistics.html
I note from Google's traffic measurement that there is a traffic increase of 25 % in every 2 months. Based on this exponential projection, by end 2014, the growth will be 1.25^6 equals to 3.81. Now that we have 2.75 % IPv6 traffic, by year end, the 2.75 % will be boosted to 2.75 x 3.81 equals to 10.49 %. IPv6 traffic reaching 10 % is an important milestone. I am eagerly waiting to witness this important moment.
http://www.google.com/intl/en/ipv6/statistics.html
I note from Google's traffic measurement that there is a traffic increase of 25 % in every 2 months. Based on this exponential projection, by end 2014, the growth will be 1.25^6 equals to 3.81. Now that we have 2.75 % IPv6 traffic, by year end, the 2.75 % will be boosted to 2.75 x 3.81 equals to 10.49 %. IPv6 traffic reaching 10 % is an important milestone. I am eagerly waiting to witness this important moment.
2014/01/29
About NULL
NULL represents
an unknown value, and strictly speaking NULL is never equal to NULL. To say NULL means “does not exist”
might not be lexically correct. Confusing about what I said about, then put me
to “/dev/null”.
Subscribe to:
Posts (Atom)